Description
The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Immediate Patch
AI Analysis

Impact

The Mobile Site Redirect plugin contains a defect in nonce validation that permits Cross‑Site Request Forgery. An unauthenticated attacker can create a forged request that, if a site administrator clicks a malicious link while logged in, will modify plugin settings and inject arbitrary JavaScript. The injected script is stored and served to all site visitors, enabling confidentiality and integrity violations and potentially facilitating account takeover or data exfiltration. The weakness is identified as CWE‑352.

Affected Systems

The vulnerability affects the WordPress plugin "Mobile Site Redirect" from vendor "webdevabq" for all releases up to and including version 1.2.1. No later versions are known to be affected. Sites running the plugin with administrative privileges are at risk.

Risk and Exploitability

The CVSS score of 6.1 places this vulnerability in the medium severity range. EPSS indicates a very low probability of exploitation (<1%) and the issue is not listed in the CISA KEV catalog. The attack requires a logged‑in administrator who clicks a crafted link, a typical CSRF vector, which makes the risk moderate yet significant if the attacker successfully injects persistent malicious scripts that affect many users.

Generated by OpenCVE AI on April 21, 2026 at 02:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Mobile Site Redirect plugin to a version newer than 1.2.1 as soon as an official fix is released by the vendor.
  • If an update is unavailable, disable or uninstall the plugin until the issue is resolved.
  • Ensure WordPress administrator accounts use strong, unique passwords and enable two‑factor authentication to reduce the likelihood that administrators are tricked into executing forged requests.
  • Review the site’s embedded scripts and admin‑generated content for any unexpected JavaScript and remove or sanitize them.

Generated by OpenCVE AI on April 21, 2026 at 02:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32273 The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Mobile Site Redirect <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:38.379Z

Reserved: 2025-09-02T21:58:16.770Z

Link: CVE-2025-9884

cve-icon Vulnrichment

Updated: 2025-10-03T18:10:39.943Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:49.800

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses