Description
The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'restrict-file-access' page. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-07-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated file deletion leading to remote code execution
Action: Patch immediately
AI Analysis

Impact

The Restrict File Access plugin for WordPress allows an attacker without authentication to delete any file on the server by exploiting a missing or incorrect nonce validation on the plugin’s configuration page. The flaw provides a clear pathway for an attacker to remove critical files, such as wp-config.php, which can then be used to hijack the site and execute arbitrary code. The vulnerability is classified as Cross‑Site Request Forgery (CWE‑352).

Affected Systems

WordPress sites running the Restrict File Access plugin with a version equal to or older than 1.1.2 are impacted. The vulnerability is vendor specific to the plugin provided by josxha. No other versions or plugins are listed as affected.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity of exploitation. The EPSS score of less than 1% suggests that the overall probability of exploitation in the wild is currently low, but the known vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the vulnerability via a forged link or form submission that lacks proper nonce verification, enabling them to delete arbitrary files. Because the exploit does not require privileged credentials and can be executed by a remote entity, it remains a significant risk to affected sites.

Generated by OpenCVE AI on April 20, 2026 at 20:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Restrict File Access plugin to the latest non‑vulnerable release (any version above 1.1.2).
  • If an upgrade is not immediately feasible, disable the plugin’s administrative pages for all users except the site administrator by applying a role‑based restriction or temporarily removing the plugin from the site.
  • Implement additional CSRF protection on the site, such as enforcing nonces on all admin forms or using a security plugin that validates nonce tokens for sensitive actions.

Generated by OpenCVE AI on April 20, 2026 at 20:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21422 The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'restrict-file-access' page. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00135}

 epss

{'score': 0.00081}

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00135}

Tue, 15 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'restrict-file-access' page. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Restrict File Access <= 1.1.2 - Cross-Site Request Forgery to Arbitrary File Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:52.350Z

Reserved: 2025-07-14T21:43:01.363Z

Link: CVE-2025-7667

cve-icon Vulnrichment

Updated: 2025-07-15T13:14:21.680Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T12:15:22.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7667

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses