– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14864:
The Virusdie WordPress plugin version 1.1.7 and earlier contains a missing authorization vulnerability. This flaw allows authenticated users with Subscriber-level permissions or higher to retrieve the site’s Virusdie API key via an AJAX endpoint. The CVSS 4.3 score reflects a medium severity information exposure issue.

Atomic Edge research identifies the root cause in the plugin’s AJAX action registration. In the vulnerable version, the file `virusdie/inc/class-virusdie.php` registers the `vd_get_apikey` function to the `wp_ajax_virusdie_apikey` hook at line 71. The corresponding function `VDWS_VirusdieBehavior::vd_get_apikey` lacks any capability check. The `canDoAjax` function in `virusdie/inc/tools/class-virusdie-behavior.php` contains a proper `current_user_can(‘manage_options’)` check, but the vulnerable AJAX handler does not call this function before processing the request.

Exploitation requires an authenticated attacker with any valid WordPress user account. The attacker sends a POST request to the standard WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the `action` parameter set to `virusdie_apikey`. No additional parameters are required. The server responds with the site’s Virusdie API key in plaintext, which the attacker can then use to interact with the Virusdie service as the site owner.

The patch completely removes the vulnerable AJAX endpoint registration. In `virusdie/inc/class-virusdie.php`, lines 71-74, the developer commented out four `add_action` calls, including the critical `add_action( ‘wp_ajax_virusdie_apikey’, ‘VDWS_VirusdieBehavior::vd_get_apikey’ )`. The plugin version number increments from 1.1.7 to 1.1.8. The patch also comments out the entire `canDoAjax` function and related AJAX handler functions in `class-virusdie-behavior.php`, effectively disabling all AJAX functionality rather than implementing proper authorization checks.

Successful exploitation exposes the site’s Virusdie API key. An attacker can use this key to access the site owner’s Virusdie account through the external service API. This access could allow manipulation of security settings, initiation of malicious scans, or retrieval of sensitive scan results. The API key could also be used to link the compromised site with other sites in the attacker’s control within the Virusdie ecosystem.