CVE-2025-30578

CVE-2025-30578 is a Cross-Site Request Forgery (CSRF) vulnerability in the hotvanrod AdSense Privacy Policy WordPress plugin (adsense-privacy-policy) that enables Stored XSS. Published on 2025-03-24, it affects all versions from unknown initial release through 1.1.1 and is associated with CWE-352. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and scope change despite requiring user interaction.

Attackers without privileges can exploit this over the network by tricking authenticated users, typically site administrators, into visiting a malicious webpage that submits a forged request. This bypasses CSRF protections, allowing injection of malicious payloads that result in stored XSS, enabling script execution in the site's context with low impacts on confidentiality, integrity, and availability but potential for broader compromise through persistent cross-site scripting.

Patchstack advisories detail the vulnerability in the WordPress plugin, available at https://patchstack.com/database/Wordpress/Plugin/adsense-privacy-policy/vulnerability/wordpress-adsense-privacy-policy-plugin-1-1-1-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve, where security practitioners can find guidance on verification, patches, and mitigation steps.