CVE-2025-3064

Name of the Vulnerable Software and Affected Versions: WPFront User Role Editor versions up to 4.2.1

Description: The issue is related to Cross-Site Request Forgery, caused by missing or incorrect nonce validation in the whitelist options() function. This allows unauthenticated attackers to update the default role option, which can be used for privilege escalation via a forged request. Attackers must trick a site administrator into performing an action, such as clicking on a link. This issue is only exploitable on multisite instances.

Recommendations: For versions up to 4.2.1, update to a version higher than 4.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the whitelist options() function until a patch is available. Additionally, be cautious when clicking on links from untrusted sources to minimize the risk of exploitation.