The Pagerank Tools plugin for WordPress, maintained by mahype, suffers from a Stored Cross-Site Scripting vulnerability enabled by a Cross-Site Request Forgery attack vector (CVE-2025-12416). The root cause is the absence of nonce validation in the pr_save_settings() function, combined with inadequate input sanitization of user-supplied data. Nonce validation is a critical security mechanism in WordPress to ensure that requests are legitimate and initiated by authorized users. Without this protection, attackers can craft malicious requests that, when executed by an authenticated administrator (via social engineering such as clicking a link), inject persistent malicious scripts into the plugin's settings. These scripts execute whenever the settings page is loaded, potentially allowing attackers to steal cookies, hijack sessions, or perform actions on behalf of the administrator. The vulnerability affects all versions up to and including 1.1.5. The CVSS 3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently available, and no exploits have been observed in the wild. This vulnerability highlights the importance of nonce validation and proper input sanitization in WordPress plugin development to prevent CSRF and stored XSS attacks.

This vulnerability can lead to unauthorized script injection in the WordPress admin environment, compromising the confidentiality and integrity of the affected site. Attackers can steal sensitive information such as authentication cookies or tokens, enabling session hijacking and unauthorized access. They may also manipulate plugin settings or perform administrative actions without consent. Although availability is not directly impacted, the breach of administrative control can lead to further exploitation or persistent backdoors. Organizations running websites with the Pagerank Tools plugin are at risk of targeted attacks, especially if administrators are tricked into interacting with malicious content. The scope of impact is significant for websites relying on this plugin for SEO or ranking metrics, potentially affecting site reputation and user trust.

Immediate mitigation involves disabling or removing the Pagerank Tools plugin until a patched version is released. Administrators should avoid clicking on suspicious links or visiting untrusted websites while logged into WordPress admin. Implement web application firewalls (WAFs) with rules to detect and block CSRF and XSS attack patterns targeting the plugin’s endpoints. Site owners should enforce strict Content Security Policies (CSP) to limit script execution sources. Monitoring admin activity logs for unusual changes in plugin settings can help detect exploitation attempts. Developers should update the plugin to include nonce validation in all state-changing requests and apply rigorous input sanitization and output encoding. Until a patch is available, consider restricting admin access to trusted IP addresses and using multi-factor authentication to reduce risk.