{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9885", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T22:14:50.332Z", "datePublished": "2025-10-03T11:17:09.201Z", "dateUpdated": "2026-04-08T16:43:57.079Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:57.079Z"}, "affected": [{"vendor": "laudanumsoft", "product": "MPWizard \u2013 Create Mercado Pago Payment Links", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MPWizard \u2013 Create Mercado Pago Payment Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "MPWizard \u2013 Create Mercado Pago Payment Links <= 1.2.1 - Cross-Site Request Forgery to Arbitrary Post Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ca6746d-afca-4ade-bd2e-4d37dedd3c5c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mpwizard/tags/1.2.1/includes/admin/class-mpwizard-table.php#L157"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-02T21:29:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T18:01:03.008791Z", "id": "CVE-2025-9885", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:01:14.348Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9885", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T18:01:03.008791Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:01:09.411Z"}}], "cna": {"title": "MPWizard \u2013 Create Mercado Pago Payment Links <= 1.2.1 - Cross-Site Request Forgery to Arbitrary Post Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "laudanumsoft", "product": "MPWizard \u2013 Create Mercado Pago Payment Links", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T21:29:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ca6746d-afca-4ade-bd2e-4d37dedd3c5c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mpwizard/tags/1.2.1/includes/admin/class-mpwizard-table.php#L157"}], "descriptions": [{"lang": "en", "value": "The MPWizard \u2013 Create Mercado Pago Payment Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-03T11:17:09.201Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9885", "state": "PUBLISHED", "dateUpdated": "2025-10-03T18:01:14.348Z", "dateReserved": "2025-09-02T22:14:50.332Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:09.201Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MPWizard \u2013 Create Mercado Pago Payment Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9885", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:49.970", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mpwizard/tags/1.2.1/includes/admin/class-mpwizard-table.php#L157"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ca6746d-afca-4ade-bd2e-4d37dedd3c5c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:13:57.611287+00:00", "value": {"mitigation_remediation": ["Upgrade MPWizard to any version newer than 1.2.1.", "If an upgrade is not yet available, temporarily disable or restrict the delete action in the plugin until a patch is released.", "Ensure that WordPress administrator accounts use strong, unique passwords and two\u2011factor authentication.", "Use a security plugin or server\u2011level CSRF protection to monitor and block unexpected admin\u2011only POST requests."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Request Forgery leading to arbitrary post deletion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects laudanumsoft\u2019s MPWizard \u2013 Create Mercado Pago Payment Links plugin, any WordPress installation running the plugin up to and including version 1.2.1. No CPE string detail is required for the assessment, but administrators should verify that the plugin is not in the affected version range.", "description_and_impact": "The MPWizard \u2013 Create Mercado Pago Payment Links plugin for WordPress contains a Cross\u2011Site Request Forgery vulnerability that allows an unauthenticated attacker to trigger global post deletions. The flaw arises from missing or improperly validated nonce checks in the admin table handling code. If an attacker can entice an administrator to open a crafted URL, that admin\u2019s authenticated session can be used to delete any WordPress post that the admin has permission to delete.", "risk_and_exploitability": "The CVSS base score of 4.3 places this vulnerability in the moderate range, and the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. As it is not listed in CISA\u2019s KEV catalog, there are no known active exploitation campaigns reported. The attack vector is CSRF; the attacker requires an authenticated administrator\u2019s session and a social\u2011engineering promise to click a malicious link. While the impact is limited to post deletion, it can disrupt site content and lead to reputational or revenue loss."}}}}, "created": "2025-10-06T14:42:48.339704+00:00", "updated": "2026-04-22T14:15:20.428016+00:00", "vendors": ["laudanumsoft", "laudanumsoft$PRODUCT$mpwizard", "wordpress", "wordpress$PRODUCT$wordpress"]}