CVE-2025-30565
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30565 is a Cross-Site Request Forgery (CSRF) vulnerability in the karrikas banner-manager WordPress plugin that allows Stored XSS. This issue affects the banner-manager plugin from unknown initial versions through 16.04.19, as documented with CWE-352 and a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity, though it requires user interaction such as clicking a malicious link. Exploitation via CSRF tricks authenticated users into submitting unintended requests, enabling the storage of XSS payloads that execute in the context of other users viewing affected pages, leading to low-level impacts on confidentiality, integrity, and availability with changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/banner-manager/vulnerability/wordpress-banner-manager-plugin-16-04-19-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-Stored XSS issue in banner-manager version 16.04.19. Security practitioners should consult the advisory for recommended mitigations, such as plugin updates if available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
This is a vulnerability in a public-facing WordPress plugin that can be directly exploited remotely via CSRF to achieve stored XSS, matching the definition of exploiting public-facing applications for initial access.