A high-severity vulnerability has been identified in the Restrict File Access plugin for WordPress, which could allow an attacker to perform unauthorized actions. By tricking a logged-in administrator into clicking a malicious link, an attacker could potentially alter file access permissions, leading to the exposure of sensitive files or disruption of website functionality. All organizations using this plugin are urged to take immediate action to mitigate this risk.

The vulnerability is a Cross-Site Request Forgery (CSRF). The plugin fails to implement or correctly validate security nonces (unique tokens) for its administrative actions. An attacker can craft a malicious web page or link that, when visited by a logged-in administrator, will force the administrator's browser to send an unauthorized request to the WordPress site. Because the request is sent from the administrator's authenticated browser session, the website processes the request as a legitimate action, allowing the attacker to change the plugin's settings, such as modifying or removing file access restrictions.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could have a significant business impact, including the unauthorized disclosure of sensitive or confidential information if an attacker disables file protection rules. This could lead to data breaches, reputational damage, and potential regulatory penalties. Furthermore, an attacker could maliciously alter access rules to cause a denial of service for legitimate users trying to access necessary files, disrupting business operations that rely on the website's content.

Immediate Action: Immediately update the "Restrict File Access" plugin to the latest version, which contains a patch for this vulnerability. After updating, administrators should audit the plugin's configuration to verify that all file access rules are correct and have not been tampered with. If the plugin's functionality is no longer required, it should be deactivated and uninstalled to reduce the overall attack surface of the website.

Proactive Monitoring: Monitor web server access logs for unusual GET or POST requests to the plugin’s administrative endpoints, particularly those with referrers from external or unexpected domains. Review WordPress audit logs for any unauthorized or suspicious changes to the "Restrict File Access" plugin settings. Configure alerts for any unexpected changes to file permissions on the server for files managed by this plugin.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block CSRF attack patterns. Ensure administrators practice good security hygiene by logging out of their WordPress administrative sessions when they are finished, minimizing the time window for a potential attack.

Public Exploit Available: false

Given the high CVSS score and the potential for sensitive data exposure, we recommend that this vulnerability be remediated with high priority. While this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity warrants immediate attention. All administrators of WordPress sites using the "Restrict File Access" plugin should apply the vendor-supplied patch immediately. If patching must be delayed, the compensating controls outlined above should be implemented as an interim measure.