CVE-2025-14159

CWE-352 — Cross-Site Request Forgery (CSRF)4 documents4 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 94.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ays-pro Secure Copy Content Protection AND Content Locking

Timeline

PublishedDec 12

Description

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administra…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5ays-pro/secure_copy_content_protection_and_content_locking4.9.2

🔴Vulnerability Details

CVEList

Secure Copy Content Protection and Content Locking <= 4.9.2 - Cross-Site Request Forgery to Data Export↗2025-12-12

▶

GHSA

GHSA-4x4p-8hj2-h92h: The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and inc↗2025-12-12

▶

🕵️Threat Intelligence

Wiz

CVE-2025-14159 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶