VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Sep 20, 2025· Updated Apr 15, 2026

CVE-2025-9883

CVE-2025-9883

Description

The Browser Sniff plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Browser Sniff plugin for WordPress (≤2.3) has a CSRF vulnerability due to missing nonce validation, enabling unauthenticated attackers to inject malicious scripts into plugin settings.

Vulnerability

Overview

The Browser Sniff plugin for WordPress, in all versions up to and including 2.3, lacks proper nonce validation on a function that handles plugin settings. This absence of a CSRF token check allows an unauthenticated attacker to forge requests that modify the plugin's configuration.

Exploitation

To exploit this vulnerability, an attacker must trick a logged-in site administrator into performing an action, such as clicking a specially crafted link. The forged request can then update arbitrary plugin settings without the administrator's awareness.

Impact

Successful exploitation enables the attacker to inject malicious web scripts into the plugin's settings. These scripts can be stored and executed in the context of the administrator's session, leading to stored cross-site scripting (XSS) attacks that may affect other users or compromise the site.

Mitigation

Status

The plugin has been closed as of September 17, 2025, and is no longer available for download [1]. No official patch exists for this vulnerability, and administrators are strongly advised to remove the plugin from their WordPress installations.

References
  1. Browser Sniff

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.