CVE-2025-5142 is a CSRF vulnerability in the Simple Page Access Restriction plugin for WordPress, affecting all versions up to and including 1.0.31. The root cause is the lack of nonce validation and capability checks in the settings.php script's save handler, which manages plugin settings. Exploitation requires tricking a site administrator into executing a forged request, enabling attackers to alter access restrictions on posts and taxonomies, force public or private status on new content, wipe plugin data silently upon plugin removal, or perform URL redirection attacks. The vulnerability is rated medium severity with a CVSS 3.1 score of 6.5 (Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: Required, Scope: Unchanged, Confidentiality Impact: None, Integrity Impact: High, Availability Impact: None). No known exploits in the wild or vendor patches are documented.

An attacker can cause unauthorized changes to the plugin's access control settings, potentially compromising content visibility and integrity. They can also cause a silent deletion of plugin data upon removal and perform URL redirection attacks, which could facilitate further malicious activity. The confidentiality of data is not impacted, but the integrity of site content and plugin configuration is at risk. Availability is not affected.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should avoid clicking on suspicious links or performing plugin settings changes from untrusted sources to reduce the risk of CSRF exploitation. Monitoring for updates from the plugin vendor or WordPress security advisories is recommended.