CVE-2025-23818: More Link Modifier CSRF Vulnerability

CVE-2025-23818 Overview

CVE-2025-23818 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress More Link Modifier plugin (more-link-modifier) developed by pyko. This vulnerability allows attackers to exploit CSRF weaknesses to inject Stored Cross-Site Scripting (XSS) payloads into affected WordPress installations. When successfully exploited, an attacker can trick an authenticated administrator into unknowingly submitting malicious requests that store XSS payloads, which then execute in the browsers of users who view the affected content.

Critical Impact
This CSRF-to-Stored-XSS chain allows unauthenticated attackers to inject persistent malicious scripts into WordPress sites by exploiting administrative users, potentially compromising site integrity and visitor security.

Affected Products

WordPress More Link Modifier plugin version 1.0.3 and earlier
All versions from initial release through <= 1.0.3

Discovery Timeline

2025-01-16 - CVE-2025-23818 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-23818

Vulnerability Analysis

This vulnerability represents a dangerous combination of two web application security flaws: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The More Link Modifier plugin fails to properly implement CSRF protections on administrative functions that modify plugin settings or content. Additionally, the plugin does not adequately sanitize or escape user input before storing and rendering it, creating the conditions for a Stored XSS attack.

The attack chain works as follows: An attacker crafts a malicious page containing a hidden form that submits data to the vulnerable WordPress plugin endpoint. When an authenticated administrator visits this malicious page, their browser automatically submits the request using their valid session credentials. Because the plugin lacks proper CSRF token validation, it accepts and processes the request, storing the attacker's XSS payload in the database. Subsequently, when any user views pages affected by the More Link Modifier plugin, the stored malicious script executes in their browser context.

Root Cause

The root cause of this vulnerability lies in the plugin's failure to implement two critical security controls:

Missing CSRF Token Validation (CWE-352): The plugin does not verify WordPress nonces or other anti-CSRF tokens on state-changing operations, allowing cross-origin requests to be processed as legitimate administrative actions.
Insufficient Input Sanitization: User-supplied data that modifies the "more" link behavior is not properly sanitized or escaped before being stored in the database and rendered on the frontend, enabling XSS payload injection.

Attack Vector

The attack is network-based and requires user interaction—specifically, an authenticated WordPress administrator must be social-engineered into visiting an attacker-controlled webpage. The attack does not require the attacker to have any prior authentication or privileges on the target WordPress site.

A typical attack scenario involves:

Attacker identifies a WordPress site using the vulnerable More Link Modifier plugin
Attacker creates a malicious webpage containing an auto-submitting form targeting the plugin's settings endpoint
Attacker lures a site administrator to visit the malicious page (via phishing, malvertising, etc.)
The administrator's browser automatically submits the CSRF request, injecting the XSS payload
The stored XSS payload executes whenever users interact with affected content

Due to the absence of verified code examples, organizations should refer to the Patchstack Vulnerability Report for detailed technical information about the exploitation mechanics.

Detection Methods for CVE-2025-23818

Indicators of Compromise

Unexpected modifications to More Link Modifier plugin settings without administrator action
Presence of <script> tags, event handlers (e.g., onerror, onload), or JavaScript URIs in plugin configuration fields
Reports of browser security warnings or unexpected JavaScript execution from site visitors
Suspicious outbound connections to unknown domains originating from visitor browsers

Detection Strategies

Review WordPress plugin settings for More Link Modifier to identify any unauthorized or suspicious content
Implement Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
Monitor HTTP request logs for POST requests to plugin endpoints originating from external referrers
Deploy web application firewalls (WAF) with XSS and CSRF detection signatures

Monitoring Recommendations

Enable WordPress audit logging to track all plugin setting changes with user attribution
Configure alerts for plugin configuration modifications occurring outside normal administrative hours
Implement browser-based XSS detection through CSP violation reporting
Regularly scan stored content and database fields for XSS indicators

How to Mitigate CVE-2025-23818

Immediate Actions Required

Deactivate and remove the More Link Modifier plugin if it is not essential to site functionality
Review and sanitize any existing plugin settings for malicious content
Implement a Web Application Firewall (WAF) to filter CSRF and XSS attack attempts
Educate administrators about the risks of visiting untrusted links while logged into WordPress

Patch Information

As of the last NVD update on 2026-04-23, this vulnerability affects More Link Modifier plugin versions through 1.0.3. Organizations should check the WordPress plugin repository or contact the plugin developer (pyko) to determine if a patched version is available. If no patch exists, consider replacing the plugin with an alternative that provides similar functionality with proper security controls.

For the latest vulnerability information, consult the Patchstack Vulnerability Report.

Workarounds

Disable the More Link Modifier plugin until a security patch is released
Restrict administrative access to trusted IP addresses only
Implement HTTP-only and Secure flags on all session cookies to reduce XSS impact
Deploy Content Security Policy headers to mitigate stored XSS execution

bash

# WordPress .htaccess configuration to restrict admin access by IP
<Files wp-admin>
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from 10.0.0.0/8
</Files>

# Add Content-Security-Policy header via Apache
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
</IfModule>

CVE-2025-23818 Overview

Critical Impact
This CSRF-to-Stored-XSS chain allows unauthenticated attackers to inject persistent malicious scripts into WordPress sites by exploiting administrative users, potentially compromising site integrity and visitor security.

Affected Products

WordPress More Link Modifier plugin version 1.0.3 and earlier
All versions from initial release through <= 1.0.3

Discovery Timeline

2025-01-16 - CVE-2025-23818 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-23818

Vulnerability Analysis

Root Cause

The root cause of this vulnerability lies in the plugin's failure to implement two critical security controls:

Missing CSRF Token Validation (CWE-352): The plugin does not verify WordPress nonces or other anti-CSRF tokens on state-changing operations, allowing cross-origin requests to be processed as legitimate administrative actions.
Insufficient Input Sanitization: User-supplied data that modifies the "more" link behavior is not properly sanitized or escaped before being stored in the database and rendered on the frontend, enabling XSS payload injection.

Attack Vector

A typical attack scenario involves:

Attacker identifies a WordPress site using the vulnerable More Link Modifier plugin
Attacker creates a malicious webpage containing an auto-submitting form targeting the plugin's settings endpoint
Attacker lures a site administrator to visit the malicious page (via phishing, malvertising, etc.)
The administrator's browser automatically submits the CSRF request, injecting the XSS payload
The stored XSS payload executes whenever users interact with affected content

Due to the absence of verified code examples, organizations should refer to the Patchstack Vulnerability Report for detailed technical information about the exploitation mechanics.

Detection Methods for CVE-2025-23818

Indicators of Compromise

Unexpected modifications to More Link Modifier plugin settings without administrator action
Presence of <script> tags, event handlers (e.g., onerror, onload), or JavaScript URIs in plugin configuration fields
Reports of browser security warnings or unexpected JavaScript execution from site visitors
Suspicious outbound connections to unknown domains originating from visitor browsers

Detection Strategies

Review WordPress plugin settings for More Link Modifier to identify any unauthorized or suspicious content
Implement Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
Monitor HTTP request logs for POST requests to plugin endpoints originating from external referrers
Deploy web application firewalls (WAF) with XSS and CSRF detection signatures

Monitoring Recommendations

Enable WordPress audit logging to track all plugin setting changes with user attribution
Configure alerts for plugin configuration modifications occurring outside normal administrative hours
Implement browser-based XSS detection through CSP violation reporting
Regularly scan stored content and database fields for XSS indicators

How to Mitigate CVE-2025-23818

Immediate Actions Required

Deactivate and remove the More Link Modifier plugin if it is not essential to site functionality
Review and sanitize any existing plugin settings for malicious content
Implement a Web Application Firewall (WAF) to filter CSRF and XSS attack attempts
Educate administrators about the risks of visiting untrusted links while logged into WordPress

Patch Information

For the latest vulnerability information, consult the Patchstack Vulnerability Report.

Workarounds

Disable the More Link Modifier plugin until a security patch is released
Restrict administrative access to trusted IP addresses only
Implement HTTP-only and Secure flags on all session cookies to reduce XSS impact
Deploy Content Security Policy headers to mitigate stored XSS execution

bash

# WordPress .htaccess configuration to restrict admin access by IP
<Files wp-admin>
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from 10.0.0.0/8
</Files>

# Add Content-Security-Policy header via Apache
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
</IfModule>

CVE-2025-23818: More Link Modifier CSRF Vulnerability

CVE-2025-23818 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-23818

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-23818

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-23818

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-23818: More Link Modifier CSRF Vulnerability

CVE-2025-23818 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-23818

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-23818

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-23818

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform