CVE-2025-22784

High

Published: 15 January 2025

Published

15 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0032 54.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in swedish boy Background Control background-control allows Path Traversal.This issue affects Background Control: from n/a through <= 1.0.5.

Security Summary

CVE-2025-22784 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Background Control WordPress plugin developed by swedish boy. The flaw enables path traversal and affects all versions of the plugin up to and including 1.0.5.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). Exploitation allows attackers to perform arbitrary file deletion on the target system, resulting in high-impact disruption to availability.

The Patchstack advisory documents this as a CSRF-to-arbitrary-file-deletion vulnerability specifically in Background Control plugin version 1.0.5 and provides details on the issue.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/background-control/vulnerability/wordpress-background-control-plugin-1-0-5-csrf-to-arbitrary-file-deletion-vulnerability?_s_id=cve
audit@patchstack.com