CVE-2025-25104 Overview
CVE-2025-25104 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the URL-Preview-Box WordPress plugin (good-url-preview-box) by mraliende. The flaw exists in versions up to and including 1.20. According to the Patchstack Vulnerability Advisory, the CSRF condition chains into stored Cross-Site Scripting (XSS), allowing attackers to persist malicious script payloads through authenticated victim actions. The vulnerability is categorized under [CWE-352] and requires user interaction to trigger.
Critical Impact
An attacker can trick an authenticated WordPress administrator into submitting a forged request that injects persistent JavaScript into the site, compromising confidentiality, integrity, and availability of the affected installation.
Affected Products
- mraliende URL-Preview-Box (good-url-preview-box) WordPress plugin
- All versions from n/a through 1.20
- WordPress installations with the vulnerable plugin enabled
Discovery Timeline
- 2025-02-07 - CVE-2025-25104 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-25104
Vulnerability Analysis
The URL-Preview-Box plugin fails to validate the origin or authenticity of state-changing HTTP requests submitted to its administrative endpoints. WordPress provides a nonce mechanism (wp_nonce_field and check_admin_referer) to defend against CSRF, but the affected plugin versions do not enforce this control on at least one privileged action. An attacker who can lure an authenticated administrator to a malicious page can cause that administrator's browser to issue a state-changing request to the WordPress site. Because the request flows from the legitimate user's session, the application processes it as authorized.
Root Cause
The root cause is a missing or insufficient anti-CSRF token check in plugin request handlers, classified as [CWE-352] Cross-Site Request Forgery. The handler accepts user-controlled input and persists it to the database without verifying request provenance, creating a CSRF-to-stored-XSS chain as documented in the Patchstack Vulnerability Advisory.
Attack Vector
Exploitation proceeds in three stages. First, the attacker hosts a crafted webpage containing an auto-submitting HTML form or JavaScript that targets the vulnerable plugin endpoint. Second, the attacker delivers the link to an authenticated WordPress administrator through phishing or social engineering. Third, when the administrator visits the page, their browser submits the forged request along with valid session cookies, causing the plugin to store attacker-controlled script content. Subsequent visits to the affected page execute the injected JavaScript in the context of site visitors and administrators.
Detection Methods for CVE-2025-25104
Indicators of Compromise
- Unexpected <script> tags, event handlers, or obfuscated JavaScript stored in plugin-managed content fields.
- WordPress administrator activity logs showing plugin configuration changes from external HTTP Referer headers.
- Outbound requests from visitor browsers to unfamiliar domains after rendering pages that use the URL preview box.
Detection Strategies
- Inventory WordPress sites for the good-url-preview-box plugin at version 1.20 or earlier using plugin management tools or filesystem scans.
- Review web server access logs for POST requests to the plugin's admin endpoints lacking a same-origin Referer header.
- Scan the WordPress database for stored content matching XSS payload signatures such as onerror=, javascript:, or encoded <script> variants.
Monitoring Recommendations
- Alert on modifications to plugin settings outside of approved administrative change windows.
- Monitor authenticated admin sessions for cross-origin form submissions using a web application firewall (WAF).
- Correlate administrator browser activity with subsequent plugin configuration changes to identify CSRF-driven actions.
How to Mitigate CVE-2025-25104
Immediate Actions Required
- Disable or remove the good-url-preview-box plugin until a patched version is installed.
- Audit all plugin-managed content for injected scripts and remove malicious entries from the database.
- Force a password reset and session invalidation for WordPress administrator accounts that may have visited untrusted sites.
Patch Information
At the time of publication, no fixed version is listed in the available references. Administrators should monitor the Patchstack Vulnerability Advisory and the plugin's WordPress.org listing for an updated release that introduces nonce validation on all state-changing endpoints.
Workarounds
- Deploy a WAF rule that blocks cross-origin POST requests to /wp-admin/ paths associated with the plugin.
- Restrict WordPress administrator access to dedicated browsers or sessions used solely for site management to reduce CSRF exposure.
- Enforce a Content Security Policy (CSP) that disallows inline scripts to limit the impact of any stored XSS payload.
# Configuration example: deactivate the vulnerable plugin via WP-CLI
wp plugin deactivate good-url-preview-box
wp plugin delete good-url-preview-box
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
