Simple Page Access Restriction < 1.0.32 – Cross-Site Request Forgery via Multiple Parameters | CVE 2025-5142 | Plugin Vulnerabilities

Description

The Simple Page Access Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.31. This is due to missing nonce validation and capability checks in the settings save handler in the settings.php script. This makes it possible for unauthenticated attackers to (1) enable or disable access protection on all post types or taxonomies, (2) force every new page/post to be public or private, regardless of meta-box settings, (3) cause a silent wipe of all plugin data when it’s later removed, or (4) to conduct URL redirection attacks via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

simple-page-access-restriction

Fixed in 1.0.32

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/657e2a4d-7e10-495d-8352-1adc0cb89e83

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Benjamin Friedli

Verified

No

WPVDB ID

4f7dcce1-169d-4efa-bf63-1d66848e0236

Timeline

Publicly Published

2025-05-29 (about 1 year ago)

Added

2025-05-29 (about 1 year ago)

Last Updated

2025-05-30 (about 1 year ago)

Other

Published

Title

Published

2025-09-22

Title

Casengo Live Chat Support <= 2.1.4 - Cross-Site Request Forgery

Published

2024-06-12

Title

Himer - Social Questions and Answers < 2.1.1 - Arbitrary Group Joining via CSRF

Published

2025-04-11

Title

Listings for Buildium < 0.1.6 - Stored XSS via CSRF

Published

2022-07-05

Title

Visualizer: Tables and Charts Manager for WordPress < 3.7.10 - Contributor+ PHAR Deserialization

Published

2023-10-16

Title

which template file < 4.9 - Arbitrary Settings Update via CSRF