Cross-Site Request Forgery Vulnerability in WPFront User Role Editor Plugin for WordPress
CVE-2025-3064

8.8HIGH

Key Information:

Vendor

WordPress
Status
WPfront User Role Editor
Vendor
CVE Published:
8 April 2025

What is CVE-2025-3064?

The WPFront User Role Editor plugin for WordPress is susceptible to a Cross-Site Request Forgery vulnerability. This flaw arises from inadequate nonce validation in the whitelist_options() function, allowing unauthenticated attackers to manipulate the default role option. By tricking a site administrator into executing a forged request, attackers can escalate privileges, particularly in multisite setups. This vulnerability underscores the importance of robust nonce verification to protect user roles and ensure plugin security.

Affected Version(s)

WPFront User Role Editor * <= 4.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wpfront-user-r...
https://plugins.trac.wordpress.org/browser/wpfront-user-r...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthew Rollings
Brian Sans-Souci
.
The Cyber Security Vulnerability Database.