CVE-2025-14864
Sensitive Information Exposure in Virusdie WordPress Plugin API Key
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| virusdie | virusdie | to 1.1.7 (inc) |
| virusdie | one-click_website_security_plugin | to 1.1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Virusdie One-click website security plugin for WordPress has a vulnerability in all versions up to and including 1.1.7. This vulnerability is due to missing capability checks on the function `vd_get_apikey`, which is hooked to the AJAX action `wp_ajax_virusdie_apikey`. Because of this, authenticated attackers with Subscriber-level access or higher can retrieve the site's Virusdie API key.
The exposed API key could allow attackers to access the site owner's Virusdie account, potentially compromising the security of the website.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with at least Subscriber-level access to obtain the Virusdie API key for the site.
With the API key, the attacker could access the site owner's Virusdie account, which may lead to unauthorized control over security features, potentially compromising the website's security.
The CVSS v3.1 base score of 4.3 indicates a low to medium severity impact, with the vulnerability allowing information disclosure but not directly affecting integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows authenticated users with Subscriber-level access or higher to retrieve the Virusdie API key via the AJAX action `wp_ajax_virusdie_apikey` due to missing capability checks.
To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the AJAX endpoint related to the Virusdie plugin, specifically requests to `admin-ajax.php` with the action parameter set to `virusdie_apikey`.
Example commands to detect such requests in web server logs or via live monitoring include:
- Using grep on Apache or Nginx access logs to find suspicious AJAX calls: `grep 'admin-ajax.php?action=virusdie_apikey' /var/log/apache2/access.log`
- Using tcpdump or tshark to capture HTTP traffic containing the AJAX action: `tshark -Y 'http.request.uri contains "admin-ajax.php?action=virusdie_apikey"'`
- Checking WordPress user activity logs (if available) for Subscriber or higher users making AJAX requests to this endpoint.
Note that the vulnerability requires authenticated access at Subscriber level or above, so monitoring authenticated user actions and AJAX requests is key.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Virusdie plugin to version 1.1.8 or later, where security enhancements have been implemented to fix this vulnerability.
The update restricts AJAX endpoints, disables unauthorized UI controls, and improves permission checks to prevent unauthorized API key disclosure.
If updating immediately is not possible, consider temporarily restricting access to the AJAX endpoint by:
- Limiting access to `admin-ajax.php` with the `virusdie_apikey` action to only trusted users or IP addresses via web server rules.
- Disabling or removing the Virusdie plugin until a secure version can be installed.
- Reviewing and tightening WordPress user roles and permissions to minimize the number of users with Subscriber-level or higher access.
Additionally, after applying the update, monitor your site for any signs of compromise related to API key exposure.