CVE-2025-3452: 
WordPress vulnerability analysis and mitigation

The SecuPress Free WordPress Security plugin for WordPress contains a missing capability check vulnerability (CVE-2025-3452) in the 'secupressreinstallpluginsadminajax_cb' function in versions up to and including 2.3.9. This vulnerability was discovered and disclosed on April 28, 2025 (NVD, Wordfence).

The vulnerability stems from a missing authorization check in the plugin's functionality that allows authenticated users with Subscriber-level access and above to install arbitrary plugins. The issue has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-862: Missing Authorization (NVD).

This vulnerability allows authenticated attackers with Subscriber-level privileges to install arbitrary WordPress plugins on the affected site. This could potentially lead to unauthorized modification of the website's functionality and compromise of site security (NVD).

A patch has been released to address this vulnerability. Site administrators should update the SecuPress Free WordPress Security plugin to version 2.3.10 or later. The fix can be found in the plugin's repository (WordPress Plugin).