CVE-2025-5983

Vulnerability

Overview

The Meta Tag Manager WordPress plugin versions before 3.3 fail to restrict which user roles can create http-equiv="refresh" meta tags. This oversight allows authenticated users with at least Contributor-level access to inject arbitrary redirect URLs into posts or pages.

Exploitation

An attacker with a Contributor account or higher can add a meta refresh tag pointing to an external malicious site. No additional authentication or special privileges beyond the standard WordPress contributor role are needed. The vulnerability is triggered when a visitor loads the compromised page, which automatically redirects the browser to the attacker-controlled destination.

Impact

By leveraging this open redirect, an attacker can craft phishing campaigns that appear to originate from the legitimate WordPress site. Users may be tricked into visiting fake login pages or malicious downloads, increasing the risk of credential theft or malware infection. The CWE classification is CWE-601 (URL Redirection to Untrusted Site) [1], indicating a clear open redirect pattern.

Mitigation

The issue is fixed in version 3.3 of the Meta Tag Manager plugin. Site administrators should update immediately. The WPVDB entry notes the vulnerability was publicly disclosed on 2025-10-01 [1].