Executive Summary

CVE-2025-5983 is a vulnerability in the Meta Tag Manager WordPress plugin versions before 3.3. It occurs because the plugin does not restrict which user roles can create HTTP-equiv refresh meta tags. This means that users with Contributor privileges can add meta tags that cause the browser to automatically redirect to arbitrary URLs, enabling open redirect and phishing attacks. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing users with Contributor privileges to create HTTP-equiv refresh meta tags that redirect visitors to arbitrary URLs. This can be exploited for open redirect attacks, which can facilitate phishing by redirecting users to malicious websites without their knowledge. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your WordPress site is running the Meta Tag Manager plugin version prior to 3.3 and if users with Contributor roles can add HTTP-equiv refresh meta tags. You can verify the plugin version via the WordPress admin dashboard or by running a command to list installed plugins and their versions, for example: `wp plugin list | grep meta-tag-manager`. Additionally, you can inspect posts created by Contributor users for meta tags with http-equiv="refresh" and content attributes that perform redirects. There is no specific network command provided, but reviewing posts or database entries for such meta tags can help detect exploitation. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Meta Tag Manager WordPress plugin to version 3.3 or later, where this vulnerability is fixed. Additionally, restrict Contributor user roles from adding or editing meta tags if possible, and review existing posts for malicious HTTP-equiv refresh meta tags to remove them. [1]

Useful 0 Not Useful 0