What the vulnerability does
01Description
The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'restrict-file-access' page. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
Restrict File Access versions up to 1.1.2 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of site administrators. An attacker can craft a malicious link or page that, when visited by an admin, modifies file access settings or performs other administrative operations without the admin's knowledge or consent. This requires the admin to click the link or visit the attacker's page.
What an attacker can do
03Attacker Capabilities
Perform administrative actions (modify file access settings, change configurations) on behalf of a logged-in site admin.
Potential impact on your site
04Site Impact
An attacker can trick your admins into unknowingly changing file access rules or other plugin settings, potentially exposing or restricting files.
Conditions required to exploit
05Prerequisites
Site admin must visit a malicious link or page while logged in to the site.
Key dates
06Disclosure timeline
July 15, 2025
CVE published
April 8, 2026
Record updated
