CVE-2019-25147
📋 TL;DR
The Pretty Links WordPress plugin up to version 2.1.9 has a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via IP and referer headers. When users visit pages containing these injected scripts, the scripts execute in their browsers, potentially compromising their accounts or sessions. This affects all WordPress sites using vulnerable versions of the Pretty Links plugin.
💻 Affected Systems
- WordPress Pretty Links plugin
📦 What is this software?
Pretty Links by Prettylinks
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over WordPress sites, install backdoors, or redirect users to malicious sites, leading to complete site compromise and data theft.
Likely Case
Attackers inject malicious scripts to steal user session cookies, perform actions as logged-in users, or deface website content.
If Mitigated
With proper web application firewalls and input validation, the risk reduces to minimal, though the vulnerability still exists in the code.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with malicious headers to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Pretty Links and click 'Update Now'. 4. Alternatively, download version 2.2.0+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Pretty Links plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate pretty-link
Web Application Firewall rule
linuxBlock malicious IP and referer headers containing script tags
ModSecurity rule: SecRule REQUEST_HEADERS "(?i:<script.*?>)" "id:1001,phase:1,deny,status:403,msg:'XSS attempt detected'"
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to prevent script execution from untrusted sources
- Deploy a web application firewall to filter malicious headers before they reach the application
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Pretty Links version. If version is 2.1.9 or lower, you are vulnerable.Check Version:
wp plugin list --name=pretty-link --field=versionVerify Fix Applied:
After updating, verify Pretty Links plugin shows version 2.2.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with suspicious script tags in IP or referer headers
- Unusual referer values containing JavaScript code
Network Indicators:
- HTTP traffic with XSS payloads in headers directed to WordPress sites
SIEM Query:
source="web_logs" AND (http_user_agent CONTAINS "<script" OR http_referer CONTAINS "<script" OR http_x_forwarded_for CONTAINS "<script")🔗 References
- https://blog.nintechnet.com/stored-xss-and-csv-injection-vulnerabilities-in-wordpress-shortlinks-by-pretty-links-plugin/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2108490%40pretty-link%2Ftrunk&old=2078274%40pretty-link%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ae058c5b-b90b-4a1e-9f56-d56dbd2d3607?source=cve
- https://blog.nintechnet.com/stored-xss-and-csv-injection-vulnerabilities-in-wordpress-shortlinks-by-pretty-links-plugin/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2108490%40pretty-link%2Ftrunk&old=2078274%40pretty-link%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ae058c5b-b90b-4a1e-9f56-d56dbd2d3607?source=cve
