プラットフォーム
wordpress
コンポーネント
mavis-https-to-http-redirect
修正版
1.4.4
CVE-2025-58261 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in PressPage Entertainment Inc's Mavis HTTPS to HTTP Redirection plugin. This flaw enables attackers to execute Stored XSS attacks, potentially compromising user accounts and website functionality. The vulnerability impacts versions from 0.0.0 through 1.4.3, but a fix is available in version 1.4.4.
The primary impact of CVE-2025-58261 stems from the ability to trigger Stored XSS attacks via CSRF. An attacker could craft malicious requests that, when triggered by a legitimate user, execute arbitrary JavaScript code within the user's browser context. This could lead to session hijacking, unauthorized data modification, redirection to phishing sites, or defacement of the website. The stored nature of the XSS means the payload persists even after the initial attack, potentially affecting multiple users over time. The potential for account takeover is significant, allowing attackers to gain control of administrator accounts and further compromise the system.
CVE-2025-58261 was publicly disclosed on 2025-09-22. No known public proof-of-concept (POC) exploits are currently available, but the combination of CSRF and Stored XSS makes it a high-priority vulnerability. The EPSS score is likely to be medium, reflecting the potential for significant impact and the relative ease of exploitation once a POC is developed. It is not currently listed on the CISA KEV catalog.
Websites utilizing the Mavis HTTPS to HTTP Redirection plugin, particularly those with user accounts or sensitive data, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as a single compromised installation can affect multiple websites.
• wordpress / plugin:
wp plugin list | grep Mavis HTTPS to HTTP Redirection• wordpress / plugin: Check plugin version in WordPress admin dashboard. • wordpress / plugin: Examine plugin files for suspicious JavaScript code or XSS vectors. • wordpress / plugin: Review WordPress access logs for unusual requests targeting the plugin’s endpoints.
disclosure
エクスプロイト状況
EPSS
0.01% (3% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation for CVE-2025-58261 is to immediately upgrade the Mavis HTTPS to HTTP Redirection plugin to version 1.4.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Content Security Policy (CSP) to restrict the execution of inline scripts and external resources. Additionally, implement strict input validation and output encoding to sanitize user-supplied data. Web Application Firewall (WAF) rules can be configured to detect and block suspicious CSRF requests, although this is not a substitute for patching. After upgrading, confirm the vulnerability is resolved by attempting to trigger a CSRF request and verifying that the expected behavior does not occur.
Actualice el plugin Mavis HTTPS to HTTP Redirection a la última versión disponible para mitigar la vulnerabilidad de Cross-Site Request Forgery (CSRF). Verifique las actualizaciones en el repositorio de WordPress o en el sitio web del desarrollador. Implemente medidas de seguridad adicionales, como la validación de entradas y la codificación de salidas, para prevenir futuros ataques CSRF.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-58261 is a Cross-Site Request Forgery (CSRF) vulnerability in the Mavis HTTPS to HTTP Redirection plugin that allows for Stored XSS attacks, potentially leading to account takeover.
You are affected if you are using Mavis HTTPS to HTTP Redirection versions 0.0.0 through 1.4.3. Upgrade to 1.4.4 or later to mitigate the risk.
Upgrade the Mavis HTTPS to HTTP Redirection plugin to version 1.4.4 or later. Consider implementing CSP and input validation as additional security measures.
While no active exploitation is currently confirmed, the combination of CSRF and Stored XSS makes it a high-priority vulnerability and a potential target for attackers.
Refer to the PressPage website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-58261.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。