ByteOS Network

CVE Vulnerability Details :

CVE-2025-14864

PUBLISHED

More Info Official Page

Assigner-Wordfence

Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At-19 Feb, 2026 | 04:36

Updated At-19 Feb, 2026 | 04:36

▼CVE Numbering Authority (CNA)

Virusdie <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) API Key Disclosure

The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromise site security.

Affected Products

Vendor

virusdie

Product

Virusdie – One-click website security

Default Status

unaffected

Versions

Affected

From * through 1.1.7 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-862	CWE-862 Missing Authorization

Type: CWE

CWE ID: CWE-862

Description: CWE-862 Missing Authorization

Metrics

Version	Base score	Base severity	Vector
3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Credits

finder

Sushi Com Abacate

Timeline

Event	Date
Disclosed	2026-02-18 00:00:00

Event: Disclosed

Date: 2026-02-18 00:00:00

References

Hyperlink	Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ef2e0b1-52ef-4f70-9e95-d010a586d060?source=cve	N/A
https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/class-virusdie.php#L75	N/A
https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/tools/class-virusdie-behavior.php#L240	N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450727%40virusdie&new=3450727%40virusdie&sfp_email=&sfph_mail=	N/A