CVE-2025-23677
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the DSmidgy HTTP to HTTPS link changer WordPress plugin allows attackers to inject malicious scripts that execute when administrators view plugin settings. This affects all WordPress sites using versions 0.2.4 and earlier of this plugin, potentially compromising administrator accounts and site visitors.
💻 Affected Systems
- DSmidgy HTTP to HTTPS link changer by Eyga.net
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, inject persistent malware into websites, redirect visitors to malicious sites, or steal sensitive data from both administrators and site visitors.
Likely Case
Attackers would create fake plugin settings pages that trick administrators into executing malicious JavaScript, leading to session hijacking or unauthorized content modification.
If Mitigated
With proper CSRF tokens and Content Security Policy headers, the attack would fail at the initial request stage, preventing any script execution.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into visiting a malicious page while logged in.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 0.2.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'HTTP to HTTPS link changer by Eyga.net'. 4. Click 'Update Now' if available. 5. If no update is available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Implement CSRF Protection
WordPressAdd nonce verification to plugin form submissions
Requires code modification: Add wp_nonce_field() and wp_verify_nonce() calls to plugin forms
🧯 If You Can't Patch
- Deactivate and remove the plugin immediately
- Implement strict Content Security Policy headers to block inline script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'HTTP to HTTPS link changer by Eyga.net' version 0.2.4 or earlierCheck Version:
wp plugin list --name='http-to-https-link-changer' --field=versionVerify Fix Applied:
Verify plugin version is higher than 0.2.4 or plugin is completely removed📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin.php?page=https-links-in-content
- Multiple failed nonce verification attempts
Network Indicators:
- Unexpected JavaScript injection in plugin settings pages
- Cross-origin requests to plugin admin endpoints
SIEM Query:
source="wordpress" AND (uri="/wp-admin/admin.php?page=https-links-in-content" OR message="nonce verification failed")