Skip to main content
CVE Vulnerability Database

CVE-2025-9884: Mobile Site Redirect CSRF Vulnerability

CVE-2025-9884 is a Cross-Site Request Forgery flaw in the Mobile Site Redirect plugin for WordPress that allows attackers to modify settings and inject scripts. This article covers technical details, affected versions, and steps.

Published:

CVE-2025-9884 Overview

CVE-2025-9884 is a Cross-Site Request Forgery (CSRF) vulnerability in the Mobile Site Redirect plugin for WordPress. The flaw affects all versions up to and including 1.2.1. The plugin fails to properly validate nonces on a settings function, allowing unauthenticated attackers to forge requests that modify plugin settings and inject malicious web scripts. Exploitation requires tricking a site administrator into clicking a crafted link or visiting an attacker-controlled page. The vulnerability is categorized under CWE-352 (Cross-Site Request Forgery).

Critical Impact

Successful exploitation allows unauthenticated attackers to modify plugin settings and inject arbitrary JavaScript into WordPress sites by tricking administrators into clicking forged requests.

Affected Products

  • WordPress Mobile Site Redirect plugin versions up to and including 1.2.1
  • WordPress installations with the vulnerable plugin activated
  • Administrator sessions authenticated to affected WordPress sites

Discovery Timeline

  • 2025-10-03 - CVE-2025-9884 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9884

Vulnerability Analysis

The Mobile Site Redirect plugin exposes an administrative settings handler that processes state-changing requests without verifying a valid WordPress nonce token. Nonces in WordPress provide a per-user, per-action token that prevents CSRF by ensuring requests originate from an authenticated session interacting with a trusted form. When these checks are missing or incorrect, an attacker can craft an HTML form or link that submits arbitrary settings values on behalf of an authenticated administrator.

Because the plugin also stores and renders values that influence page output, an attacker can persist malicious script content through the same forged request. This turns a CSRF flaw into a persistent script injection vector, expanding the impact beyond simple setting tampering.

Root Cause

The root cause is missing or incorrect nonce validation in the plugin's admin handler referenced in mobired_admin.php. WordPress plugins are expected to call check_admin_referer() or wp_verify_nonce() before processing settings updates, and the affected function omits this control. See the WordPress plugin code reference for the affected code path.

Attack Vector

An unauthenticated remote attacker hosts a page containing an auto-submitting form or crafted link targeting the vulnerable admin endpoint. When a logged-in WordPress administrator visits the page, the browser sends the request with the administrator's session cookies. The plugin processes the request as legitimate and applies the attacker-controlled settings, including any injected script content that later executes in the browser of site visitors or administrators.

The vulnerability requires user interaction from a privileged account, which limits opportunistic mass exploitation but remains practical against targeted administrators through phishing or watering-hole attacks.

Detection Methods for CVE-2025-9884

Indicators of Compromise

  • Unexpected changes to Mobile Site Redirect plugin settings, particularly redirect targets or script fields
  • Presence of <script> tags or JavaScript payloads within stored plugin options in the wp_options table
  • Administrator page loads originating from external referrers immediately preceding settings modifications
  • Outbound redirects from the WordPress site to unknown or attacker-controlled domains

Detection Strategies

  • Monitor WordPress audit logs for settings updates to the mobile-site-redirect plugin options without corresponding admin-initiated form submissions
  • Inspect HTTP request logs for POST requests to the plugin's admin handler lacking a valid _wpnonce parameter or referer header
  • Scan the wp_options table for script tags or unusual characters within Mobile Site Redirect configuration values

Monitoring Recommendations

  • Enable file integrity monitoring on the wp-content/plugins/mobile-site-redirect/ directory
  • Alert on administrator sessions that trigger plugin configuration changes shortly after visiting external URLs
  • Review web server access logs for suspicious referrers pointing at the plugin's admin page

How to Mitigate CVE-2025-9884

Immediate Actions Required

  • Deactivate the Mobile Site Redirect plugin until a patched version is confirmed available from the WordPress plugin repository
  • Audit current plugin settings and remove any unexpected script content or unauthorized redirect targets
  • Rotate administrator credentials if unauthorized configuration changes are found

Patch Information

No patched version is listed in the NVD entry at the time of publication. Administrators should monitor the Wordfence vulnerability entry and the WordPress plugin page for a release addressing the missing nonce validation.

Workarounds

  • Remove the plugin entirely if mobile redirect functionality is not business-critical
  • Restrict WordPress admin access to trusted IP ranges via web server or WAF rules to reduce CSRF exposure
  • Require administrators to use separate browser profiles or sessions when performing WordPress management tasks
  • Deploy a web application firewall rule blocking POST requests to the plugin's admin endpoint that lack a valid nonce parameter
bash
# Disable the vulnerable plugin via WP-CLI until a patch is available
wp plugin deactivate mobile-site-redirect
wp plugin delete mobile-site-redirect

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.