Background Control <= 1.0.5 – Cross-Site Request Forgery to Arbitrary File Deletion | CVE 2025-22784 | Plugin Vulnerabilities

Description

The Background Control plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

background-control

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b20a793a-82ff-41ba-95a2-3c3b4f98617d

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

ardias

Verified

No

WPVDB ID

d67b7f9b-3a6f-4605-be7a-0a448268cadf

Timeline

Publicly Published

2025-01-13 (about 1 year ago)

Added

2025-01-21 (about 1 year ago)

Last Updated

2025-01-21 (about 1 year ago)

Other

Published

Title

Published

2025-02-14

Title

what3words Address Field < 4.0.16 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-07-17

Title

Cooked – Recipe Management < 1.8.0 - Cross-Site Request Forgery via cooked_get_recipe_ids

Published

2023-11-07

Title

ANAC XML Bandi di Gara <= 7.5 - Cross-Site Request Forgery via settings.php

Published

2025-07-16

Title

Theme Builder For Elementor < 1.2.4 - Cross-Site Request Forgery

Published

2021-12-24

Title

Spreadsheet Integration < 3.6.0 - CSRF Bypass