Executive Summary

The Virusdie One-click website security plugin for WordPress has a vulnerability in all versions up to and including 1.1.7. This vulnerability is due to missing capability checks on the function `vd_get_apikey`, which is hooked to the AJAX action `wp_ajax_virusdie_apikey`. Because of this, authenticated attackers with Subscriber-level access or higher can retrieve the site's Virusdie API key.

The exposed API key could allow attackers to access the site owner's Virusdie account, potentially compromising the security of the website.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker with at least Subscriber-level access to obtain the Virusdie API key for the site.

With the API key, the attacker could access the site owner's Virusdie account, which may lead to unauthorized control over security features, potentially compromising the website's security.

The CVSS v3.1 base score of 4.3 indicates a low to medium severity impact, with the vulnerability allowing information disclosure but not directly affecting integrity or availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability allows authenticated users with Subscriber-level access or higher to retrieve the Virusdie API key via the AJAX action `wp_ajax_virusdie_apikey` due to missing capability checks.

To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the AJAX endpoint related to the Virusdie plugin, specifically requests to `admin-ajax.php` with the action parameter set to `virusdie_apikey`.

Example commands to detect such requests in web server logs or via live monitoring include:

• Using grep on Apache or Nginx access logs to find suspicious AJAX calls: `grep 'admin-ajax.php?action=virusdie_apikey' /var/log/apache2/access.log`
• Using tcpdump or tshark to capture HTTP traffic containing the AJAX action: `tshark -Y 'http.request.uri contains "admin-ajax.php?action=virusdie_apikey"'`
• Checking WordPress user activity logs (if available) for Subscriber or higher users making AJAX requests to this endpoint.

Note that the vulnerability requires authenticated access at Subscriber level or above, so monitoring authenticated user actions and AJAX requests is key.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the Virusdie plugin to version 1.1.8 or later, where security enhancements have been implemented to fix this vulnerability.

The update restricts AJAX endpoints, disables unauthorized UI controls, and improves permission checks to prevent unauthorized API key disclosure.

If updating immediately is not possible, consider temporarily restricting access to the AJAX endpoint by:

• Limiting access to `admin-ajax.php` with the `virusdie_apikey` action to only trusted users or IP addresses via web server rules.
• Disabling or removing the Virusdie plugin until a secure version can be installed.
• Reviewing and tightening WordPress user roles and permissions to minimize the number of users with Subscriber-level or higher access.

Additionally, after applying the update, monitor your site for any signs of compromise related to API key exposure.

Useful 0 Not Useful 0