CVE-2025-52835

WING WordPress Migrator <= 1.2.0 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.0.0
Patched in
107d
Time to patch

Description

The WING WordPress Migrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.0
PublishedDecember 30, 2025
Last updatedApril 15, 2026
Affected pluginwing-migrator

What Changed in the Fix

Changes introduced in v2.0.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation research plans, functional payloads, or step-by-step guides for exploiting specific security vulnerabilities like CVE-2025-52835. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF…

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation research plans, functional payloads, or step-by-step guides for exploiting specific security vulnerabilities like CVE-2025-52835. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) in the context of WordPress or discuss general defensive best practices for securing plugin migration endpoints.

Theoretical Mechanics of CSRF in Migration Plugins

Cross-Site Request Forgery (CSRF) occurs when an application performs a state-changing action (like updating settings or initiating a backup) without verifying that the request was intentionally initiated by the authenticated user.

In WordPress migration plugins, vulnerabilities typically manifest in handlers for:

  • AJAX Actions: Functions hooked to wp_ajax_* that lack check_ajax_referer().
  • Admin Post Handlers: Functions hooked to admin_post_* that lack check_admin_referer().
  • Form Submissions: Admin pages that process $_POST data directly without verifying a nonce generated by wp_nonce_field().

If an administrator is logged into their WordPress site and visits a malicious third-party page, that page can trigger an unverified request to one of these endpoints. Because the browser automatically includes the administrator's session cookies, the plugin may process the request as if the administrator intended to perform the action.

Defensive Best Practices

To prevent CSRF in WordPress plugins, developers should follow these practices:

  1. Always Use Nonces: Every state-changing request must include a nonce. Use wp_create_nonce() to generate the token and wp_verify_nonce(), check_ajax_referer(), or check_admin_referer() to validate it.
  2. Verify Capabilities: Nonce verification is not a substitute for authorization. Always check user permissions using current_user_can() before executing sensitive logic.
  3. Strict HTTP Methods: Ensure that actions that modify data (Update, Delete, Create) only respond to POST requests, never GET.
  4. Validate Action Strings: When verifying nonces, ensure the action string used during verification precisely matches the one used during creation to prevent generic nonce reuse.

For more information on securing WordPress plugins, you can consult the WordPress Plugin Handbook's section on security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WING Website Migrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0 due to missing nonce validation on administrative functions. This allows unauthenticated attackers to perform unauthorized actions, such as triggering migrations or altering settings, by tricking a logged-in administrator into interacting with a malicious link or submitting a forged form.

Security Fix

Only in /home/deploy/wp-safety.org/data/plugin-versions/wing-migrator/1.2.0: classes
Only in /home/deploy/wp-safety.org/data/plugin-versions/wing-migrator/2.0.0: includes
Only in /home/deploy/wp-safety.org/data/plugin-versions/wing-migrator/2.0.0: languages
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wing-migrator/1.2.0/readme.txt /home/deploy/wp-safety.org/data/plugin-versions/wing-migrator/2.0.0/readme.txt
--- /home/deploy/wp-safety.org/data/plugin-versions/wing-migrator/1.2.0/readme.txt	2025-12-09 03:48:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wing-migrator/2.0.0/readme.txt	2026-03-11 08:01:32.000000000 +0000
@@ -1,56 +1,50 @@
-=== ConoHa Website Migrator ===
-Contributors: wing
-Tags: Conoha, Migration
-Requires at least: 3.8.5
-Tested up to: 6.8
-Requires PHP: 5.3
-Stable tag: 1.2.0
+=== Wing WP Migrator ===
+Contributors: gmointernet
+Tags: migration, wing, backup, restore
+Requires at least: 6.2
+Tested up to: 6.9
+Requires PHP: 7.4
+Stable tag: 2.0.0
 License: GPLv3 or later
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
-ConoHa WINGのWordPressで「かんたん移行」をご利用いただくためのプラグインです。
+A WordPress migration plugin for ConoHa WING hosting service.
 
 == Description ==
 
-ConoHa WINGのWordPressで「かんたん移行」をご利用いただくためのプラグインです。
+This plugin enables the "Easy Migration" feature for WordPress on ConoHa WING.
 
-プラグインを利用すると、別のサーバーで運用していたWordPressをConoHa WINGのサーバー上に移設することができます。
+It allows you to migrate a WordPress site running on another server to your ConoHa WING server.
 
+== Target Users ==
+This plugin is available free of charge for ConoHa WING subscribers.
 
-= 利用対象 =
-ConoHa WINGをご契約の場合、無料でご利用いただけます。
+To use the plugin, you need to enter the source WordPress site information from the ConoHa WING control panel.
 
-ご利用いただく際、ConoHa WINGのコントロールパネルから移行元のWordPressの情報を入力していただく必要があります。
+Please note that this plugin will not function on servers other than ConoHa WING.
 
-なお、ConoHa WING以外のサービスでのご利用はできませんので、プラグインをインストールしても動作いたしません。
-
-
-
-= サポート =
-プラグインの使用方法は、ConoHa WINGのご利用ガイドをご参照ください。
-
-▼ConoHa WING お客様サポート
-
-https://support.conoha.jp/wing/
-
-※ConoHa WINGのサービス利用料、通信にかかる費用などはお客様の負担となります。
+= Support =
+For usage instructions, please refer to the ConoHa WING user guide.
 
+ConoHa WING Customer Support: https://support.conoha.jp/wing/
 
 == Installation ==
-※このプラグインを使用するためには、ConoHa WINGのいずれかのプランの契約が必要となります。
 
-プラグインは、ConoHa WINGコントロールパネル内「アプリケーションインストール」のメニュー内で「WordPressかんたん移行を利用する」を選択し、
-必要事項を入力後WordPressのインストールを開始することで自動的にインストールが開始されます。
+This plugin requires an active ConoHa WING subscription.
 
-== Frequently asked questions ==
-よくある質問については、 ConoHa WINGのお客様サポートをご確認ください。
+The plugin is automatically installed when you select "Use WordPress Easy Migration" from the "Application Installation" menu in the ConoHa WING control panel and start the WordPress installation after entering the required information.
 
-▼ConoHa WING お客様サポート
+== Frequently Asked Questions ==
 
-https://support.conoha.jp/wing/
+For frequently asked questions, please refer to ConoHa WING Customer Support.
 
+ConoHa WING Customer Support: https://support.conoha.jp/wing/
 
 == Changelog ==
+
+= 2.0.0 =
+* Security improvements and codebase overhaul.
+
 = 1.2.0 =
 * Change Plugin Name and Description.
 
@@ -67,25 +61,25 @@
 * Added file installation function.
 
 = 1.1.5 =
-* bug fix.
+* Bug fix.
 
 = 1.1.4 =
-* bug fix.
+* Bug fix.
 
 = 1.1.3 =
 * Fix restore download logic.
 
 = 1.1.2 =
-* bug fix.
+* Bug fix.
 
 = 1.1.1 =
-* bug fix.
+* Bug fix.
 
 = 1.1.0 =
 * Fix backup and restore logic.
 
 = 1.0.1 =
-* bug fix.
+* Bug fix.
 
 = 1.0.0 =
-* 初期リリース
+* Initial release.
Only in /home/deploy/wp-safety.org/data/plugin-versions/wing-migrator/1.2.0: wing-migrator.php
Only in /home/deploy/wp-safety.org/data/plugin-versions/wing-migrator/2.0.0: wing-wordpress-migrator.php

Exploit Outline

The exploit targets administrative endpoints in the WING Website Migrator plugin that process state-changing actions (such as AJAX actions hooked to 'wp_ajax_*' or admin post handlers hooked to 'admin_post_*') without verifying a security nonce. An attacker identifies a function that handles migration or configuration data and constructs a malicious HTML page containing an auto-submitting form or cross-site request (e.g., via JavaScript) directed at the vulnerable endpoint. When a logged-in administrator visits this malicious page, their browser automatically includes their authentication cookies in the request. Because the plugin does not validate a nonce, it treats the unauthorized request as a legitimate action performed by the administrator, allowing the attacker to manipulate migration tasks or plugin settings.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.