CVE-2026-0739
📋 TL;DR
The WMF Mobile Redirector WordPress plugin versions up to 1.2 contain a stored cross-site scripting vulnerability in plugin settings. Authenticated attackers with administrator privileges can inject malicious scripts that execute when users view affected pages. This affects WordPress sites using the vulnerable plugin.
💻 Affected Systems
- WMF Mobile Redirector WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.
Likely Case
Session hijacking, credential theft from site administrators, or defacement of WordPress admin pages.
If Mitigated
Limited impact if proper access controls restrict administrator accounts to trusted users only.
🎯 Exploit Status
Exploitation requires authenticated administrator access. The vulnerability is in plugin settings pages where input isn't properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/037b5c2c-510a-4fa5-b489-cb0478603be2
Restart Required: No
Instructions:
1. Remove the WMF Mobile Redirector plugin from your WordPress installation. 2. No official patch exists as the plugin appears unmaintained. 3. Consider alternative mobile redirect solutions.
🔧 Temporary Workarounds
Remove vulnerable plugin
allCompletely remove the WMF Mobile Redirector plugin from WordPress
wp plugin delete wmf-mobile-redirector
Restrict administrator access
allLimit administrator accounts to only essential, trusted personnel
🧯 If You Can't Patch
- Implement strict access controls for WordPress administrator accounts
- Deploy web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin plugins page for WMF Mobile Redirector version 1.2 or earlierCheck Version:
wp plugin list --name=wmf-mobile-redirector --field=versionVerify Fix Applied:
Confirm plugin is removed or disabled in WordPress plugins list📡 Detection & Monitoring
Log Indicators:
- Unusual administrator account activity
- Suspicious POST requests to plugin settings pages
Network Indicators:
- Malicious script injections in HTTP responses from WordPress admin pages
SIEM Query:
source="wordpress" AND (plugin="wmf-mobile-redirector" OR uri="/wp-admin/options-general.php") AND (method="POST" OR status=200)🔗 References
- https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L55
- https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L62
- https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L55
- https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L62
- https://www.wordfence.com/threat-intel/vulnerabilities/id/037b5c2c-510a-4fa5-b489-cb0478603be2?source=cve
