CVE-2025-30558

CVE-2025-30558 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the ANAC XML Render WordPress plugin developed by EnzoCostantini55. This flaw allows for Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 1.5.7. The vulnerability was published on 2025-03-24 and carries a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

An unauthenticated attacker (PR:N) can exploit this remotely over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as tricking a site administrator into submitting a malicious request. Exploitation via CSRF enables the storage of an XSS payload, allowing arbitrary JavaScript execution in the browser context of authenticated users who view the affected content, potentially leading to session hijacking, data theft, or further site compromise with low impacts on confidentiality, integrity, and availability.

The Patchstack advisory documents this CSRF-to-Stored XSS vulnerability specifically in ANAC XML Render plugin version 1.5.7 for WordPress, providing details on the issue. Security practitioners should refer to the advisory at https://patchstack.com/database/Wordpress/Plugin/anac-xml-render/vulnerability/wordpress-anac-xml-render-plugin-1-5-7-csrf-to-stored-xss-vulnerability?_s_id=cve for recommended mitigations.