CVE-2025-49353
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path noindex-by-path allows Stored XSS.This issue affects Noindex by Path: from n/a through <= 1.0.
Analysis
Cross-site request forgery (CSRF) in the Marcin Kijak Noindex by Path WordPress plugin through version 1.0 allows unauthenticated attackers to perform unauthorized administrative actions such as modifying plugin settings via crafted HTML or JavaScript on attacker-controlled sites. The vulnerability chaining with stored XSS enables attackers to inject malicious scripts that persist in the plugin's data, affecting all users who access the compromised settings. No public exploit code has been identified, and real-world exploitation risk is minimal (EPSS 0.02%), indicating this is primarily a theoretical risk in low-traffic or neglected WordPress installations.
Technical Context
The vulnerability resides in the Noindex by Path WordPress plugin, which manages SEO noindex directives for URL paths. The root cause is insufficient CSRF protection (CWE-352) in the plugin's administrative settings handlers, allowing attackers to forge requests that bypass WordPress nonce verification. The stored XSS component suggests that user-supplied input in plugin configuration fields is not properly sanitized or escaped before storage in the WordPress database, allowing persistent injection of malicious scripts. The plugin affects all WordPress installations where Noindex by Path version 1.0 or earlier is active, and the vulnerability is triggered when administrators access the plugin's settings pages or when cached/stored XSS payloads are rendered to users.
Affected Products
The vulnerability affects the Marcin Kijak Noindex by Path WordPress plugin in all versions from initial release through version 1.0 (inclusive). The plugin is distributed via the WordPress.org plugin repository. CPE data is not available for this third-party WordPress plugin, but the Patchstack reference (https://patchstack.com/database/Wordpress/Plugin/noindex-by-path) documents this as WordPress plugin ID noindex-by-path with maximum affected version 1.0.
Remediation
Update the Noindex by Path plugin to a version newer than 1.0 immediately if available from the developer, or disable and remove the plugin if no patched version exists. Administrators should review the WordPress.org plugin page or the developer's repository (Marcin Kijak's account) for a security update. In the interim, restrict administrative access to the plugin's settings pages using WordPress user role controls, disable the plugin entirely if not essential, or implement Web Application Firewall (WAF) rules to block requests to the plugin's settings handlers from external referrers. WordPress site owners should audit their database for unexpected entries in plugin option tables (typically wp_options or wp_postmeta) that may indicate stored XSS payload persistence, and review WordPress admin action logs for unauthorized setting changes.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today