CVE-2025-7667: 
WordPress vulnerability analysis and mitigation

The Restrict File Access plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.1.2, identified as CVE-2025-7667. The vulnerability was discovered and disclosed on July 15, 2025. The issue affects the 'restrict-file-access' page functionality due to missing or incorrect nonce validation (NVD).

The vulnerability stems from improper security controls in the 'restrict-file-access' page, specifically the absence of proper nonce validation. The CVSS v3.1 base score is 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to delete arbitrary files on the server through forged requests. This can potentially lead to remote code execution when critical files, such as wp-config.php, are deleted. The impact is particularly severe as it can compromise the integrity and availability of the WordPress installation (NVD).

Users should immediately update the Restrict File Access plugin to a version newer than 1.1.2 when available. Until a patch is released, it is recommended to consider temporarily deactivating the plugin if it's not critical to operations (NVD).