CVE-2025-22784: 
WordPress vulnerability analysis and mitigation

The Background Control WordPress plugin versions up to and including 1.0.5 contains a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-22784. The vulnerability was discovered by researcher Muhamad Agil Fachrian and was publicly disclosed on January 13, 2025. This security issue affects the plugin's file handling functionality and poses a risk to WordPress installations using the vulnerable versions (WPScan, Patchstack).

The vulnerability stems from missing or incorrect nonce validation on certain functions within the Background Control plugin. The CSRF vulnerability has been assigned a CVSS score of 8.1 (high) according to WPScan, while Patchstack rates it at 8.6. The issue is classified under the OWASP Top 10 category A3: Injection and CWE-352 (WPScan).

If exploited, this vulnerability could allow unauthenticated attackers to delete arbitrary files from the affected WordPress installation. The attack requires social engineering, as the attacker needs to trick a site administrator into performing specific actions, such as clicking on a malicious link (WPScan).

Currently, there is no official fix available for this vulnerability. The issue affects versions 1.0.5 and below of the Background Control plugin. Website administrators are advised to consider removing the plugin until a security patch is released (Patchstack).