SecuPress Free < 2.3.10 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation | CVE 2025-3452 | Plugin Vulnerabilities

Description

The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.

Affects Plugins

Fixed in 2.3.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d9125873-aedd-4334-b8e0-74b67d301904

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

be1650bc-3f30-4f04-b33a-a956ade05977

Timeline

Publicly Published

2025-04-28 (about 1 year ago)

Added

2025-04-28 (about 1 year ago)

Last Updated

2025-04-29 (about 1 year ago)

Other

Published

Title

Published

2026-01-05

Title

Sugar Calendar (Lite) < 3.10.0 - Missing Authorization

Published

2025-01-06

Title

Hive Support – WordPress Help Desk < 1.1.7 - Missing Authorization

Published

2025-12-31

Title

Tasty Recipes Lite < 1.1.6 - Missing Authorization

Published

2025-06-26

Title

VG WORT METIS <= 2.0.1 - Missing Authorization

Published

2026-03-23

Title

Product Filter for WooCommerce by WBW < 3.1.3 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE