CVE-2025-3064

Published April 8th, 2025

View on NVD ↗

CVSS v3

8.8

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. This is due to missing or incorrect nonce validation on the whitelist_options() function. This makes it possible for unauthenticated attackers to update the default role option that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances.

WPFront User Role Editor

<p>WPFront User Role Editor plugin allows you to easily manage WordPress user roles within your site.<br /> You can create, edit or delete user roles and manage role capabilities.</p> <h3>Features</h3> <ul> <li>Create new roles.</li> <li>Edit or rename existing roles.</li> <li>Clone existing roles.</li> <li>Manage capabilities.</li> <li>Allows you to add role capabilities.</li> <li>Change default user role.</li> <li>Add or Remove capabilities.</li> <li>Restore role.</li> <li>Assign multiple roles.</li> <li>Migrate users.</li> <li>Navigation menu permissions basic.</li> <li>Widget permissions basic.</li> <li>Login redirect basic.</li> <li><a href="https://wpfront.com/user-role-editor-pro/menu-editor/" rel="nofollow ugc">Admin menu editor.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/media-attachment-file-permissions/" rel="nofollow ugc">Media library permissions.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/user-level-permissions/" rel="nofollow ugc">User level permissions.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/navigation-menu-permissions/" rel="nofollow ugc">Navigation menu permissions advanced.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/widget-permissions/" rel="nofollow ugc">Widget permissions advanced.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/login-redirect/" rel="nofollow ugc">Login redirect advanced.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/posts-pages-extended-permissions/" rel="nofollow ugc">Post/Page extended permissions.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/custom-post-type-permissions/" rel="nofollow ugc">Custom post type permissions.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/content-restriction-shortcodes/" rel="nofollow ugc">Content restriction shortcodes.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/export-roles/" rel="nofollow ugc">Import/Export.</a> [PRO]</li> <li><a href="https://wpfront.com/user-role-editor-pro/multisite-sync-roles/" rel="nofollow ugc">Multisite support.</a> [PRO]</li> </ul> <p>Compare <a href="https://wpfront.com/ppro" rel="nofollow ugc">User Role Editor Pro</a></p> <p>Spanish tutorial<br /> <span class="embed-youtube" style="text-align:center; display: block;"><iframe loading="lazy" class="youtube-player" width="750" height="422" src="https://www.youtube.com/embed/YRZdWH-uukI?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent" allowfullscreen="true" style="border:0;" sandbox="allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox"></iframe></span></p>

WordPress Plugin Directory

970K