CVE-2025-30564
Published: 24 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-30564 is a Cross-Site Request Forgery (CSRF) vulnerability in the wpwox Custom Script Integration WordPress plugin (custom-script-integration) that allows Stored XSS. This issue affects all versions from n/a through 2.1 inclusive.
The vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and changes scope (S:C) to achieve low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), for an overall CVSS v3.1 score of 7.1. An unauthenticated attacker can trick an authenticated user into performing a state-changing action via a forged request, leading to the storage of malicious scripts that execute in the context of other users viewing affected pages.
The Patchstack advisory provides details on this WordPress plugin vulnerability, available at https://patchstack.com/database/Wordpress/Plugin/custom-script-integration/vulnerability/wordpress-custom-script-integration-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF vulnerability in a public-facing WordPress plugin enables exploitation of public-facing applications (T1190); the resulting stored XSS directly facilitates browser session hijacking by executing malicious scripts in victim browsers (T1185).