CVE-2025-14159

Name of the Vulnerable Software and Affected Versions Secure Copy Content Protection and Content Locking plugin for WordPress versions through 4.9.2

Description The plugin is susceptible to Cross-Site Request Forgery due to the absence of nonce validation on the ays sccp results export file AJAX action. This allows unauthenticated attackers to export sensitive plugin data, including email addresses, IP addresses, physical addresses, user IDs, and other user information, by deceiving a site administrator into performing an action. The exported data is stored in a publicly accessible file, enabling attackers to obtain the sensitive information without authentication.

Recommendations Versions prior to and including 4.9.2 should be updated to a newer, fixed version when available. As a temporary workaround, consider disabling the ays sccp results export file AJAX action until a patch is available.