WWordPress Vulnerability Database

Community Security Notice Mobile Site Redirect Vulnerability(CVE20259884)

WordPress Mobile Site Redirect plugin
0
Shares
0
0
0
0






Urgent security advisory: CVE-2025-9884 — Mobile Site Redirect (<= 1.2.1) — CSRF → Stored XSS


Plugin Name Mobile Site Redirect
Type of Vulnerability Cross-Site Request Forgery (CSRF)
CVE Number CVE-2025-9884
Urgency Low
CVE Publish Date 2025-10-03
Source URL CVE-2025-9884

Urgent security advisory: CVE-2025-9884 — Mobile Site Redirect (≤ 1.2.1) — CSRF → Stored XSS

Published: 3 October 2025 · Hong Kong security expert advisory

As a Hong Kong-based security team, we are publishing this advisory to inform WordPress site owners and developers about a recently disclosed vulnerability affecting the Mobile Site Redirect plugin (versions ≤ 1.2.1), tracked as CVE-2025-9884. The flaw is a Cross-Site Request Forgery (CSRF) that can be chained to Stored Cross-Site Scripting (XSS). In short: an attacker can induce a privileged user’s browser to store malicious JavaScript in site settings, which may later run in admin screens or on the public site.

TL;DR — What you need to know, right now

  • A vulnerability in Mobile Site Redirect ≤ 1.2.1 can be abused via CSRF to inject stored XSS payloads into the site.
  • Public disclosure: 3 Oct 2025 (CVE-2025-9884).
  • Attackers typically need to trick an authenticated administrator (or another privileged user) into visiting a malicious page; the eventual payload is persistent (stored) XSS.
  • Potential impact: session theft, admin takeover, persistent backdoors, SEO spam, malicious redirects, or full site compromise.
  • At time of disclosure there may be no official fix for the affected versions — treat installations as at risk until a vendor patch is available and verified.
  • Immediate protective actions: deactivate or remove the plugin, virtual patch (WAF or server-level blocks), search and clean stored payloads, rotate credentials and salts, and perform a full incident response if necessary.

How the vulnerability works (technical breakdown)

In short, the vulnerability is a combination of missing CSRF protection and inadequate output sanitization for stored settings:

  1. The plugin exposes an admin action or settings endpoint that accepts user input (redirect rules, custom text, etc.).
  2. The endpoint lacks proper CSRF protection (nonce checks) and/or adequate capability checks, allowing a POST from an attacker-controlled page to be accepted by an authenticated admin’s browser.
  3. The plugin saves POSTed values into the database without sufficient sanitization. If those values include JavaScript (for example,