Restrict File Access WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Arbitrary File Deletion

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Restrict File Access plugin for WordPress, affecting all versions through 1.1.2. The vulnerability arises from inadequate nonce validation on the 'restrict-file-access' page, enabling unauthenticated attackers to delete arbitrary files from the server. This file deletion could lead to remote code execution if a critical file, such as wp-config.php, is removed, especially if an administrator is tricked into initiating the action.

Impact

Exploitation of this vulnerability could result in unauthorized deletion of files on the server, potentially leading to remote code execution if a sensitive file is deleted.

Added: Jul 15, 2025, 12:17 PM

Updated: Jul 15, 2025, 12:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.0

remediation

0.0

relevance

0.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.0

remediation

0.0

relevance

0.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Restrict File Access WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Arbitrary File Deletion

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating