Cross-Site Request Forgery Vulnerability in WPFront User Role Editor Plugin for WordPress
CVE-2025-3064

8.8HIGH

Key Information:

Vendor: WordPress
Status: WPfront User Role Editor
Vendor: CVE Published:; 8 April 2025

Summary

The WPFront User Role Editor plugin for WordPress is susceptible to a Cross-Site Request Forgery vulnerability. This flaw arises from inadequate nonce validation in the whitelist_options() function, allowing unauthenticated attackers to manipulate the default role option. By tricking a site administrator into executing a forged request, attackers can escalate privileges, particularly in multisite setups. This vulnerability underscores the importance of robust nonce verification to protect user roles and ensure plugin security.

Affected Version(s)

WPFront User Role Editor * <= 4.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpfront-user-r...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Mar 31, 2025

Credit

Matthew Rollings

Brian Sans-Souci