CVE-2025-23677 Overview
CVE-2025-23677 is a Cross-Site Request Forgery (CSRF) vulnerability in the DSmidge HTTP to HTTPS link changer plugin by Eyga.net for WordPress. The flaw affects the https-links-in-content plugin in all versions up to and including 0.2.4. Exploitation chains CSRF with Stored Cross-Site Scripting (XSS), allowing attackers to inject persistent malicious scripts when an authenticated administrator is tricked into visiting an attacker-controlled page. The issue is tracked under CWE-352 and carries a CVSS 3.1 score of 7.1.
Critical Impact
An attacker can store arbitrary JavaScript in the WordPress site by abusing missing CSRF protection, leading to session theft, administrative actions, and site defacement.
Affected Products
- WordPress plugin: HTTP to HTTPS link changer by Eyga.net (https-links-in-content)
- All versions from n/a through 0.2.4
- WordPress sites running the vulnerable plugin with authenticated administrator access
Discovery Timeline
- 2025-01-16 - CVE-2025-23677 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-23677
Vulnerability Analysis
The plugin exposes a state-changing administrative action without verifying the origin or intent of the request. WordPress provides nonces (wp_nonce_field and check_admin_referer) precisely to defend against CSRF, but the affected endpoint either omits this verification or implements it incorrectly. As a result, any HTTP POST request issued by a logged-in administrator's browser is accepted as legitimate, regardless of where it originated.
The vulnerability escalates beyond a pure CSRF because user-supplied input handled by the action is stored without proper sanitization or output encoding. When the resulting content is later rendered in the admin or front-end context, the injected script executes in the victim's browser, producing Stored XSS.
Root Cause
The root cause is the absence of CSRF token validation [CWE-352] combined with insufficient input sanitization. The plugin trusts authenticated session cookies as proof of intent, which violates standard WordPress plugin security guidance.
Attack Vector
Attack execution is network-based and requires user interaction. The attacker hosts a crafted HTML page or sends a phishing link to a WordPress administrator. When the administrator visits the page while authenticated, the browser silently submits a forged request to the vulnerable plugin endpoint. The payload is persisted in the site database, and the stored script subsequently runs whenever the affected page loads.
No verified proof-of-concept code is publicly available. Refer to the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-23677
Indicators of Compromise
- Unexpected <script> tags, onerror, or onload attributes in plugin-managed content or post bodies
- Administrative POST requests to the plugin's settings handler originating from external Referer headers
- New or modified options in wp_options related to the https-links-in-content plugin without a corresponding admin session in audit logs
- Outbound requests from administrator browsers to unknown domains shortly after visiting external URLs
Detection Strategies
- Inspect WordPress access logs for POST requests to plugin endpoints lacking a _wpnonce parameter
- Compare stored plugin configuration values against a known-good baseline to detect injected HTML or JavaScript
- Deploy a Web Application Firewall (WAF) rule that flags cross-origin POST requests targeting wp-admin plugin handlers
Monitoring Recommendations
- Monitor administrator account activity for anomalous browser-driven configuration changes
- Alert on responses from wp-admin pages that contain unexpected inline script content
- Track plugin version inventory across managed WordPress sites and flag any instance running 0.2.4 or earlier
How to Mitigate CVE-2025-23677
Immediate Actions Required
- Disable or remove the HTTP to HTTPS link changer plugin until a patched release is available
- Audit existing plugin settings and post content for injected scripts and remove malicious entries
- Force a password reset and session invalidation for all WordPress administrator accounts
- Restrict administrative access using IP allow-lists or multi-factor authentication to reduce CSRF exposure
Patch Information
No fixed version has been published in the available advisory data. Versions through 0.2.4 remain vulnerable. Track the Patchstack Vulnerability Report for vendor remediation updates.
Workarounds
- Deactivate the plugin and substitute its functionality with a maintained alternative such as Really Simple SSL
- Apply a WAF virtual patch that enforces same-origin checks on the plugin's administrative endpoints
- Educate administrators to log out of WordPress sessions before browsing untrusted sites
# Configuration example: locate and disable the vulnerable plugin via WP-CLI
wp plugin list --name=https-links-in-content --fields=name,status,version
wp plugin deactivate https-links-in-content
wp plugin delete https-links-in-content
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
