CVE-2025-11167
📋 TL;DR
This vulnerability allows unauthenticated attackers to redirect WordPress users to malicious websites by exploiting insufficient validation of the 'redirect_url' parameter in the CM Registration plugin. All WordPress sites using this plugin up to version 2.5.6 are affected. Attackers can trick users into clicking specially crafted links that redirect them to phishing or malware sites.
💻 Affected Systems
- CM Registration – Tailored tool for seamless login and invitation-based registrations WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Users redirected to sophisticated phishing sites that steal credentials or install malware, leading to account compromise, data theft, or ransomware infection.
Likely Case
Users redirected to phishing pages attempting to steal WordPress admin credentials or personal information.
If Mitigated
Users see warning messages or are blocked from redirecting to external sites, preventing successful exploitation.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) but no authentication or special privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'CM Registration' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 2.5.7+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the CM Registration plugin until patched version is available
Add redirect validation filter
WordPressAdd WordPress filter to validate redirect URLs before processing
Add to theme's functions.php or custom plugin: add_filter('allowed_redirect_hosts', function($hosts) { return array_merge($hosts, ['yourdomain.com']); });
🧯 If You Can't Patch
- Disable the CM Registration plugin completely
- Implement web application firewall rules to block requests containing suspicious redirect parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for CM Registration plugin version 2.5.6 or earlierCheck Version:
wp plugin list --name='CM Registration' --field=versionVerify Fix Applied:
Verify plugin version is 2.5.7 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'redirect_url' parameter with external domains
- Multiple redirect responses (HTTP 302) to unfamiliar domains
Network Indicators:
- Outbound connections to suspicious domains following WordPress login/registration requests
SIEM Query:
web.url:*redirect_url=* AND NOT web.url:*redirect_url=*yourdomain.com*🔗 References
- https://plugins.trac.wordpress.org/changeset/3374121/cm-invitation-codes/trunk/controller/LoginController.php?old=3310298&old_path=cm-invitation-codes%2Ftags%2F2.5.5%2Fcontroller%2FLoginController.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c10286fe-2fdf-4946-b7bb-a2b16f93abb0?source=cve
