CVE-2025-30577

CVE-2025-30577 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Browser Address Bar Color WordPress plugin developed by mendibass (slug: browser-address-bar-color). This flaw enables Stored XSS and affects all versions from n/a through 3.3. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction dependency, changed scope, and low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely by crafting a malicious request that a victim—typically an authenticated WordPress user with sufficient privileges—is tricked into submitting, such as via a malicious webpage. This CSRF action leads to the injection of a Stored XSS payload within the plugin's context. Once stored, the XSS executes in the browsers of subsequent administrators or users viewing affected pages, potentially enabling session hijacking, data theft, or further site compromise.

Mitigation details are outlined in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/browser-address-bar-color/vulnerability/wordpress-browser-address-bar-color-plugin-3-3-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should update to a patched version beyond 3.3 if available and implement standard CSRF protections like nonces in WordPress plugins.