CVE-2025-5142 MEDIUM

CVE-2025-5142: Simple Page Access Restriction <= 1.0.31 - Cross-Site Request Forgery via Multiple Parameters

Vendor Pluginsandsnippets
Product Simple Page Access Restriction
Weakness CWE-352 · CSRF
Published May 30, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The Simple Page Access Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.31. This is due to missing nonce validation and capability checks in the settings save handler in the settings.php script. This makes it possible for unauthenticated attackers to (1) enable or disable access protection on all post types or taxonomies, (2) force every new page/post to be public or private, regardless of meta-box settings, (3) cause a silent wipe of all plugin data when it’s later removed, or (4) to conduct URL redirection attacks via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

May 30, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-4689 Elementor Addon Elements <= 1.12.7 - Cross-Site Request Forgery CVE-2023-52127 WordPress WPC Product Bundles for WooCommerce Plugin <= 7.3.1 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2023-33333 WordPress Complianz and Complianz Premium plugins - Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) CVE-2026-27090 WordPress Kenta Companion plugin <= 1.3.3 - Cross Site Request Forgery (CSRF) vulnerability CVE-2021-34636 Countdown and CountUp, WooCommerce Sales Timer <= 1.5.7 Cross-Site Request Forgery to Stored Cross-Site Scripting