The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to

WORDPRESS

15-07-2025 09:20

CVE-2025-7667 Vulnerabilidad documentada

Sin puntuación

Tags

#wordpress

#site

#plugin

#cross

#wp

#server

#php

#form

#cross-site

#config

#admin

#attackers

#authenticated

#arbitrary

#vulnerable

#remote

#execution

#attack

#access

Descripción

The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This due missing or incorrect nonce validation on the 'restrict-file-access' page. makes it possible unauthenticated attackers delete arbitrary files server, which can easily lead remote code execution when right file deleted (such as wp-config.php), via a forged request granted they trick site administrator into performing an action such clicking link.

https://plugins.trac.wordpress.org/browser/restrict-file-access/trunk/admin/admin.php#L78

https://www.wordfence.com/threat-intel/vulnerabilities/id/e1105717-134b-48cc-960d-f78437c06793?source=cve

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-7667

Resultados similares

Coincidentes en almenos en 50% de los tags

15-07-2025 CVE-2025-4369
The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via...
Ver información

15-07-2025 CVE-2025-7367
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t...
Ver información