CVE-2025-30550
Published: 24 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-30550 is a Cross-Site Request Forgery (CSRF) vulnerability in the WPShop.ru CallPhone'r WordPress plugin, also known as callphoner, that enables Stored XSS. This issue affects the plugin from unknown initial versions through version 1.1.1 inclusive. The vulnerability is classified under CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited by unauthenticated attackers accessible over the network, with low attack complexity but requiring user interaction, such as clicking a malicious link. Successful exploitation changes the scope to cross-origin (S:C), allowing limited impacts on confidentiality, integrity, and availability through the resulting Stored XSS, such as potential script execution in the context of the targeted user's browser.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/callphoner/vulnerability/wordpress-callphone-r-plugin-1-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the CSRF-to-Stored XSS vulnerability specific to CallPhone'r plugin version 1.1.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in a public-facing WordPress plugin directly enables exploitation of the web application (T1190). The CSRF-to-Stored XSS attack vector requires the victim to click a malicious link to trigger the forged request, facilitating T1204.001.