CVE-2025-9884

Vulnerability

Overview The Mobile Site Redirect plugin for WordPress, in all versions up to and including 1.2.1, is vulnerable to Cross-Site Request Forgery (CSRF). The root cause is missing or incorrect nonce validation on a function that handles settings updates. This flaw allows an attacker to craft a malicious request that, when triggered by an authenticated administrator, can modify plugin settings and inject arbitrary web scripts [1].

Exploitation

Prerequisites Exploitation requires no authentication from the attacker, but relies on social engineering to trick a site administrator into performing an action such as clicking a link. The attack is performed via a forged HTTP request that leverages the administrator's active session to execute unauthorized actions [1].

Impact

Successful exploitation enables an unauthenticated attacker to update plugin settings and inject malicious web scripts. This can lead to stored cross-site scripting (XSS) attacks, potentially compromising the WordPress site and its users [1].

Mitigation

Status The plugin has been closed as of September 30, 2025, due to a security issue and is no longer available for download. Users should remove the plugin immediately and seek alternative solutions [1].