CVE-2025-9885: 
WordPress vulnerability analysis and mitigation

The MPWizard – Create Mercado Pago Payment Links plugin for WordPress has been identified with a Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2025-9885. The vulnerability affects all versions up to and including 1.2.1, and was disclosed on October 3, 2025. This security issue impacts WordPress installations using the affected plugin versions (NVD CVE).

The vulnerability stems from missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. The CVSS v3.1 score is 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating a network-accessible vulnerability requiring user interaction with low attack complexity (NVD CVE, Wordfence Intel).

When exploited, this vulnerability allows unauthenticated attackers to delete arbitrary posts from the WordPress installation. The attack is only successful if an attacker can trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD CVE).

Website administrators running the MPWizard plugin should ensure they are running a version newer than 1.2.1 if available. Until a patch is released, administrators should exercise caution when clicking on links while logged into the WordPress admin panel (NVD CVE).