Login Sign Up

CVE-2025-5983

6.5 MEDIUM

📋 TL;DR

The Meta Tag Manager WordPress plugin before version 3.3 allows users with any role to create http-equiv refresh meta tags, which can be used to redirect visitors to malicious sites. This affects all WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:
  • Meta Tag Manager WordPress plugin
Versions: All versions before 3.3
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with any user account could redirect all site visitors to phishing/malware sites, potentially compromising credentials or infecting visitors.

🟠

Likely Case

Low-privileged users could redirect visitors to unwanted sites, causing reputation damage and potential SEO penalties.

🟢

If Mitigated

With proper role-based access controls, only trusted administrators could create meta tags, preventing abuse.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires at least a subscriber-level WordPress account. The vulnerability is simple to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3

Vendor Advisory: https://wpscan.com/vulnerability/4a2d4dcf-bb34-4eec-b5de-31c6a4d823cf/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Meta Tag Manager' and click 'Update Now'. 4. Verify version is 3.3 or higher.

🔧 Temporary Workarounds

Restrict user registration

all

Disable new user registration to prevent attackers from creating accounts to exploit this vulnerability.

Remove vulnerable plugin

all

Temporarily deactivate and delete the Meta Tag Manager plugin until patched.

🧯 If You Can't Patch

  • Implement strict user role management and audit all existing user accounts
  • Monitor website redirects and meta tag changes through security plugins

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Meta Tag Manager version.

Check Version:

wp plugin list --name='meta-tag-manager' --field=version

Verify Fix Applied:

Confirm Meta Tag Manager version is 3.3 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual meta tag creation/modification by non-admin users
  • HTTP redirect logs showing unexpected site redirections

Network Indicators:

  • Unexpected HTTP 301/302 redirects from your WordPress site

SIEM Query:

source="wordpress.log" AND ("meta tag" OR "refresh" OR "redirect") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2025-5983
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.06% exploit probability (16.9th percentile)
Published: October 22, 2025
Last Updated: October 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON