CVE-2025-30552

CVE-2025-30552 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin WordPress Admin Bar Improved (wordpress-admin-bar-improved) developed by Donald Gilbert. The flaw enables Stored Cross-Site Scripting (XSS) and affects all versions from n/a through 3.3.5. It received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating a high-severity issue with network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely by tricking a victim—typically a logged-in WordPress user such as an administrator—into interacting with a malicious webpage or resource. This user interaction triggers a forged CSRF request to the vulnerable plugin, allowing the storage of malicious XSS payloads within the admin bar. Successful exploitation leads to Stored XSS execution in the context of subsequent users viewing the affected area, enabling potential theft of session data or other impacts aligned with the low CVSS impact metrics.

The Patchstack advisory provides detailed vulnerability information, including analysis of the CSRF-to-Stored XSS issue in version 3.3.5, at https://patchstack.com/database/Wordpress/Plugin/wordpress-admin-bar-improved/vulnerability/wordpress-wordpress-admin-bar-improved-plugin-3-3-5-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should consult this reference for exploitation details and recommended mitigations, such as updating to a patched version if available or implementing CSRF protections.