CVE-2025-5142: 
WordPress vulnerability analysis and mitigation

The Simple Page Access Restriction plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 1.0.31. The vulnerability was discovered and disclosed on May 30, 2025, and impacts the plugin's settings save handler functionality in the settings.php script (NVD, Wiz).

The vulnerability stems from missing nonce validation and capability checks in the settings save handler within the settings.php script. The CVSS v3.1 base score is 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating that the vulnerability requires user interaction but can be exploited remotely without authentication (NVD, Wiz).

The vulnerability allows unauthenticated attackers to perform several unauthorized actions: enable or disable access protection on all post types or taxonomies, force every new page/post to be public or private regardless of meta-box settings, cause a silent wipe of all plugin data during removal, and conduct URL redirection attacks if they can trick a site administrator into performing specific actions (NVD).

The vulnerability has been patched in version 1.0.32, released on May 24, 2025. The update adds nonce validation to settings and metabox handling. Users are advised to update to this latest version immediately (WordPress Plugin, Plugin Changeset).