Skip to main content
CVE Vulnerability Database

CVE-2025-7667: Restrict File Access Plugin CSRF Vulnerability

CVE-2025-7667 is a Cross-Site Request Forgery flaw in the Restrict File Access WordPress plugin that enables attackers to delete server files, potentially leading to remote code execution. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-7667 Overview

CVE-2025-7667 affects the Restrict File Access plugin for WordPress in all versions up to and including 1.1.2. The plugin fails to validate nonces on the restrict-file-access admin page, exposing administrators to Cross-Site Request Forgery [CWE-352]. An unauthenticated attacker can craft a malicious link that, when clicked by a logged-in administrator, deletes arbitrary files on the server. Deleting sensitive files such as wp-config.php triggers WordPress reinstallation flows that attackers can leverage to achieve remote code execution.

Critical Impact

Successful exploitation deletes arbitrary files on the WordPress server, enabling site takeover and remote code execution through wp-config.php removal.

Affected Products

  • WordPress Restrict File Access plugin versions ≤ 1.1.2
  • WordPress sites with the plugin installed and active
  • Site administrators authenticated to the WordPress dashboard

Discovery Timeline

  • 2025-07-15 - CVE-2025-7667 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7667

Vulnerability Analysis

The Restrict File Access plugin exposes administrative file management functionality through the restrict-file-access page in the WordPress admin interface. The handler in admin/admin.php processes file deletion requests without verifying a WordPress nonce token. This omission breaks the standard WordPress CSRF defense pattern that pairs wp_nonce_field() with check_admin_referer() or wp_verify_nonce().

Without nonce validation, the server cannot distinguish between intentional administrator actions and forged requests originating from attacker-controlled pages. An attacker who knows or guesses a target file path can construct a request that the victim's browser submits automatically when the administrator visits a malicious page or clicks a crafted link.

The impact extends beyond file deletion. Removing wp-config.php places WordPress into a setup state, allowing an attacker to point the installation at a database under their control and execute PHP through the admin interface. Deleting plugin files, theme files, or .htaccess enables additional persistence and bypass scenarios.

Root Cause

The vulnerability stems from missing or incorrect nonce validation on the plugin's administrative file management endpoint. The relevant handler in admin/admin.php accepts deletion parameters from authenticated sessions without confirming the request originated from a legitimate WordPress form. See the WordPress plugin source reference for the affected code path.

Attack Vector

Exploitation requires user interaction. An attacker hosts a page containing an auto-submitting form or image tag that issues a request to the victim site's restrict-file-access admin page with a chosen target file. When an authenticated administrator visits the attacker's page, the browser includes session cookies and the file deletion executes under the administrator's privileges. No attacker authentication to the target WordPress site is required.

The vulnerability is described in the Wordfence Vulnerability Report without published proof-of-concept exploit code.

Detection Methods for CVE-2025-7667

Indicators of Compromise

  • Unexpected deletion of wp-config.php, plugin files, or theme files on WordPress hosts
  • WordPress installations entering the setup wizard state without administrator action
  • HTTP referer headers from external domains preceding requests to the restrict-file-access admin page
  • Web server access logs showing POST or GET requests to the plugin endpoint without corresponding admin dashboard navigation

Detection Strategies

  • Monitor file integrity on WordPress webroots, with alerts on deletion of critical files such as wp-config.php and .htaccess
  • Inspect web server logs for requests to wp-admin/admin.php?page=restrict-file-access originating from cross-origin referers
  • Audit installed WordPress plugins to identify Restrict File Access versions ≤ 1.1.2

Monitoring Recommendations

  • Enable WordPress audit logging to record administrator-initiated file operations
  • Forward web server and PHP error logs to a centralized SIEM for correlation across sessions
  • Alert on rapid creation of new admin users or modification of wp-config.php following plugin endpoint access

How to Mitigate CVE-2025-7667

Immediate Actions Required

  • Update the Restrict File Access plugin to a version newer than 1.1.2 once the vendor publishes a fix
  • Deactivate and remove the plugin if no patched version is available
  • Back up wp-config.php and the WordPress webroot to enable rapid recovery from file deletion

Patch Information

No fixed version is documented in the available CVE data at the time of publication. Administrators should monitor the Wordfence advisory and the WordPress plugin repository for an updated release.

Workarounds

  • Deactivate the Restrict File Access plugin until a patched version ships
  • Restrict access to /wp-admin/ by source IP at the web server or WAF layer to limit CSRF exposure
  • Deploy a web application firewall rule that requires a valid WordPress nonce parameter on requests to the restrict-file-access page
  • Train administrators to log out of WordPress when not actively managing the site to neutralize CSRF session reuse
bash
# Example: deactivate the plugin via WP-CLI until a patch is available
wp plugin deactivate restrict-file-access
wp plugin status restrict-file-access

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.