Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
WordPress Virusdie Plugin Leaks API Key to Authorized Attackers
CVE-2025-14864
Summary
The Virusdie plugin for WordPress, used for website security, exposes sensitive API keys to attackers with Subscriber-level access or above. This allows them to access the site owner's account and potentially compromise site security. Update the plugin to version 1.1.8 or later to fix this issue.
Original title
The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks ...
Original description
The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromise site security.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/class-virusdie.php...
- https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/tools/class-virusd...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8ef2e0b1-52ef-4f70-9e9...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026