CVE-2025-58852
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the MSTW League Manager WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions, which can lead to stored cross-site scripting (XSS) attacks. This affects all WordPress sites running MSTW League Manager version 2.10 and earlier. Attackers can inject malicious scripts that execute when other users visit affected pages.
💻 Affected Systems
- MSTW League Manager WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could compromise administrator accounts, inject persistent malicious scripts across the website, steal session cookies, redirect users to malicious sites, or deface the website.
Likely Case
Attackers create fake admin actions that inject malicious JavaScript into website content, leading to session hijacking, credential theft, or malware distribution to visitors.
If Mitigated
With proper CSRF tokens and input validation, the vulnerability would be blocked, preventing unauthorized actions even if users are tricked into clicking malicious links.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into clicking a malicious link while logged in. CSRF attacks are well-understood and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find MSTW League Manager and click 'Update Now'. 4. Verify the plugin version is 2.11 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the MSTW League Manager plugin until patched.
wp plugin deactivate mstw-league-manager
Implement CSRF Protection
allAdd custom CSRF tokens to plugin forms if you have development access.
🧯 If You Can't Patch
- Restrict administrative access to trusted networks only using firewall rules.
- Implement web application firewall (WAF) rules to block CSRF attempts and XSS payloads.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for MSTW League Manager version. If version is 2.10 or lower, you are vulnerable.Check Version:
wp plugin get mstw-league-manager --field=versionVerify Fix Applied:
After updating, confirm MSTW League Manager version is 2.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to MSTW League Manager admin endpoints without referrer headers
- Unexpected changes to plugin settings or content
Network Indicators:
- HTTP requests with suspicious parameters targeting /wp-admin/admin.php?page=mstw-lm-* endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin.php" AND query="page=mstw-lm-") AND http_method="POST" AND NOT referrer CONTAINS yourdomain.com