{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9884", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T21:58:16.770Z", "datePublished": "2025-10-03T11:17:12.758Z", "dateUpdated": "2026-04-08T16:55:38.379Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:38.379Z"}, "affected": [{"vendor": "webdevabq", "product": "Mobile Site Redirect", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Mobile Site Redirect <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c921300-88ef-43b8-959e-2bc490cf303f?source=cve"}, {"url": "https://wordpress.org/plugins/mobile-site-redirect/"}, {"url": "https://plugins.trac.wordpress.org/browser/mobile-site-redirect/tags/1.2.1/mobired_admin.php#L27"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-10-02T22:18:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T18:10:33.403841Z", "id": "CVE-2025-9884", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:10:45.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T18:10:33.403841Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:10:39.943Z"}}], "cna": {"title": "Mobile Site Redirect <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "webdevabq", "product": "Mobile Site Redirect", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T22:18:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c921300-88ef-43b8-959e-2bc490cf303f?source=cve"}, {"url": "https://wordpress.org/plugins/mobile-site-redirect/"}, {"url": "https://plugins.trac.wordpress.org/browser/mobile-site-redirect/tags/1.2.1/mobired_admin.php#L27"}], "descriptions": [{"lang": "en", "value": "The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:38.379Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9884", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:55:38.379Z", "dateReserved": "2025-09-02T21:58:16.770Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:12.758Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9884", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:49.800", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mobile-site-redirect/tags/1.2.1/mobired_admin.php#L27"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/mobile-site-redirect/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c921300-88ef-43b8-959e-2bc490cf303f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:36:51.566534+00:00", "value": {"mitigation_remediation": ["Update the Mobile Site Redirect plugin to a version newer than 1.2.1 as soon as an official fix is released by the vendor.", "If an update is unavailable, disable or uninstall the plugin until the issue is resolved.", "Ensure WordPress administrator accounts use strong, unique passwords and enable two\u2011factor authentication to reduce the likelihood that administrators are tricked into executing forged requests.", "Review the site\u2019s embedded scripts and admin\u2011generated content for any unexpected JavaScript and remove or sanitize them."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin \"Mobile Site Redirect\" from vendor \"webdevabq\" for all releases up to and including version 1.2.1. No later versions are known to be affected. Sites running the plugin with administrative privileges are at risk.", "description_and_impact": "The Mobile Site Redirect plugin contains a defect in nonce validation that permits Cross\u2011Site Request Forgery. An unauthenticated attacker can create a forged request that, if a site administrator clicks a malicious link while logged in, will modify plugin settings and inject arbitrary JavaScript. The injected script is stored and served to all site visitors, enabling confidentiality and integrity violations and potentially facilitating account takeover or data exfiltration. The weakness is identified as CWE\u2011352.", "risk_and_exploitability": "The CVSS score of 6.1 places this vulnerability in the medium severity range. EPSS indicates a very low probability of exploitation (<1%) and the issue is not listed in the CISA KEV catalog. The attack requires a logged\u2011in administrator who clicks a crafted link, a typical CSRF vector, which makes the risk moderate yet significant if the attacker successfully injects persistent malicious scripts that affect many users."}}}}, "created": "2025-10-06T14:42:57.334783+00:00", "updated": "2026-04-21T02:45:25.945620+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}