Meta Tag Manager < 3.3 – Contributor+ Open Redirect | CVE 2025-5983 | Plugin Vulnerabilities

Description

The plugin does not restrict which roles can create http-equiv refresh meta tags.
So it could be used for open redirect/phishing attacks.

Proof of Concept

1. Log in as a user with Contributor privileges.

2. Create a new post.

3. In the Meta Tag Manager section, add a new meta tag with the following details:
Tag Type: http-equiv
http-equiv Value: refresh
content Attribute: 0;URL=https://example.com

4. Submit and preview the post.

Affects Plugins

meta-tag-manager

Fixed in 3.3

References

CVE

Classification

Type

REDIRECT

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

4a2d4dcf-bb34-4eec-b5de-31c6a4d823cf

Timeline

Publicly Published

2025-10-01 (about 2 months ago)

Added

2025-10-01 (about 2 months ago)

Last Updated

2025-10-01 (about 2 months ago)

Other

Published

Title

Published

2017-02-17

Title

GTranslate < 2.8.11 - Unauthenticated Open Redirect

Published

2025-03-27

Title

Bit Integrations < 2.5.0 - Open Redirect

Published

2019-10-08

Title

All In One WP Security & Firewall <= 4.4.1 - Open Redirect & Hidden Login Page Exposure

Published

2019-09-05

Title

WordPress 5.2.2 - Potential Open Redirect

Published

2019-10-21

Title

Bridge Theme < 18.2.1 - Open Redirect