Platform
wordpress
Component
mavis-https-to-http-redirect
Fixed in
1.4.4
CVE-2025-58261 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in PressPage Entertainment Inc's Mavis HTTPS to HTTP Redirection plugin. This flaw enables attackers to execute Stored XSS attacks, potentially compromising user accounts and website functionality. The vulnerability impacts versions from 0.0.0 through 1.4.3, but a fix is available in version 1.4.4.
The primary impact of CVE-2025-58261 stems from the ability to trigger Stored XSS attacks via CSRF. An attacker could craft malicious requests that, when triggered by a legitimate user, execute arbitrary JavaScript code within the user's browser context. This could lead to session hijacking, unauthorized data modification, redirection to phishing sites, or defacement of the website. The stored nature of the XSS means the payload persists even after the initial attack, potentially affecting multiple users over time. The potential for account takeover is significant, allowing attackers to gain control of administrator accounts and further compromise the system.
CVE-2025-58261 was publicly disclosed on 2025-09-22. No known public proof-of-concept (POC) exploits are currently available, but the combination of CSRF and Stored XSS makes it a high-priority vulnerability. The EPSS score is likely to be medium, reflecting the potential for significant impact and the relative ease of exploitation once a POC is developed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-58261 is to immediately upgrade the Mavis HTTPS to HTTP Redirection plugin to version 1.4.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Content Security Policy (CSP) to restrict the execution of inline scripts and external resources. Additionally, implement strict input validation and output encoding to sanitize user-supplied data. Web Application Firewall (WAF) rules can be configured to detect and block suspicious CSRF requests, although this is not a substitute for patching. After upgrading, confirm the vulnerability is resolved by attempting to trigger a CSRF request and verifying that the expected behavior does not occur.
Update the Mavis HTTPS to HTTP Redirection plugin to the latest available version to mitigate the Cross-Site Request Forgery (CSRF) vulnerability. Check for updates in the WordPress repository or on the developer's website. Implement additional security measures, such as input validation and output encoding, to prevent future CSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58261 is a Cross-Site Request Forgery (CSRF) vulnerability in the Mavis HTTPS to HTTP Redirection plugin that allows for Stored XSS attacks, potentially leading to account takeover.
You are affected if you are using Mavis HTTPS to HTTP Redirection versions 0.0.0 through 1.4.3. Upgrade to 1.4.4 or later to mitigate the risk.
Upgrade the Mavis HTTPS to HTTP Redirection plugin to version 1.4.4 or later. Consider implementing CSP and input validation as additional security measures.
While no active exploitation is currently confirmed, the combination of CSRF and Stored XSS makes it a high-priority vulnerability and a potential target for attackers.
Refer to the PressPage website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-58261.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.