The Simple Page Access Restriction plugin for WordPress, up to version 1.0.31, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-5142. This vulnerability stems from the absence of nonce validation and capability checks in the settings.php script's save handler, which is responsible for managing plugin configuration changes. Because of this, an unauthenticated attacker can craft malicious requests that, when executed by an authenticated administrator (via social engineering such as clicking a link), can alter critical plugin settings without authorization. Specifically, attackers can enable or disable access protection across all post types and taxonomies, override meta-box settings to force new content to be public or private, silently erase all plugin data upon plugin removal, or perform URL redirection attacks. The vulnerability does not affect confidentiality directly but impacts integrity by allowing unauthorized modification of access controls and availability by potentially wiping plugin data. The attack vector is remote with low complexity, requiring no privileges but necessitating user interaction. The CVSS 3.1 score of 6.5 reflects a medium severity rating, highlighting the importance of addressing this issue promptly. No patches or fixes are currently linked, and no exploits have been observed in the wild, but the risk remains significant due to the potential for administrative account misuse and content control disruption.

This vulnerability can have serious consequences for organizations using the Simple Page Access Restriction plugin on WordPress sites. Unauthorized changes to access restrictions can expose sensitive or private content to the public or conversely restrict legitimate access, disrupting normal operations and damaging trust. The ability to silently wipe all plugin data upon removal could lead to data loss and complicate recovery efforts. URL redirection attacks could facilitate phishing or malware distribution campaigns targeting site administrators or users. Since the attack requires tricking an administrator into clicking a malicious link, social engineering risks are elevated. Organizations relying on this plugin for content access control may face integrity and availability issues, potentially leading to compliance violations, reputational damage, and operational downtime. The medium CVSS score indicates a moderate but actionable risk that should not be ignored, especially for high-traffic or sensitive WordPress deployments.

To mitigate this vulnerability, organizations should immediately verify if they use the Simple Page Access Restriction plugin and identify the affected versions (up to 1.0.31). Since no official patches are currently linked, administrators should consider the following specific steps: 1) Restrict administrative access to trusted networks and users to reduce exposure to social engineering attacks. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious POST requests targeting the plugin's settings.php handler. 3) Educate administrators about the risks of clicking untrusted links, especially when logged into WordPress admin panels. 4) Temporarily disable or uninstall the plugin if feasible until a patched version is released. 5) Monitor logs for unusual changes to plugin settings or unexpected data wipes. 6) Employ multi-factor authentication (MFA) for administrator accounts to reduce the risk of account compromise. 7) Regularly back up WordPress site data, including plugin configurations, to enable recovery from data loss. These targeted actions go beyond generic advice by focusing on the specific attack vectors and plugin behaviors involved.