CVE-2025-9884 in Mobile Site Redirect Plugin
Summary
by MITRE • 10/03/2025
The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/03/2025
The Mobile Site Redirect plugin for WordPress presents a critical cross-site request forgery vulnerability that affects all versions through 1.2.1, creating a significant security risk for WordPress installations. This vulnerability stems from inadequate nonce validation within the plugin's functionality, specifically targeting a function that handles settings updates. The absence of proper authentication checks and validation mechanisms allows attackers to craft malicious requests that can be executed without the knowledge or consent of legitimate users.
The technical flaw manifests in the plugin's failure to implement robust nonce verification processes when processing administrative actions. Nonce values serve as critical anti-CSRF protection measures by ensuring that requests originate from authenticated sources and are not forged by malicious actors. When these validation checks are absent or improperly implemented, attackers can exploit the vulnerability through social engineering tactics such as phishing emails or compromised websites. The attack vector requires minimal privileges since the vulnerability targets unauthenticated users who can manipulate administrative settings through carefully constructed forged requests.
This vulnerability creates substantial operational impact for WordPress site administrators and organizations relying on the Mobile Site Redirect plugin. Attackers can leverage this flaw to inject malicious web scripts into affected sites, potentially leading to session hijacking, data exfiltration, or complete site compromise. The risk is particularly severe because the attack requires only that an administrator clicks on a malicious link, making it highly exploitable in real-world scenarios where administrators may encounter compromised content through various channels including email communications or social media platforms. The vulnerability essentially undermines the security model of WordPress by allowing unauthorized modifications to critical plugin settings without proper authentication.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the nonce validation deficiencies, as recommended by the WordPress security team and industry best practices. Organizations should also implement comprehensive monitoring of administrative actions and user activities on affected sites to detect potential exploitation attempts. Network-level protections such as web application firewalls can provide additional defense-in-depth measures, though they cannot fully compensate for the fundamental authentication failures in the plugin's design. Security teams should conduct thorough audits of all installed WordPress plugins to identify similar nonce validation issues and ensure proper implementation of authentication controls. This vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery flaws, and corresponds to ATT&CK technique T1059.007 for web shell execution through compromised administrative interfaces, highlighting the critical nature of proper input validation and authentication mechanisms in web application security protocols.