CVE-2025-30584

CVE-2025-30584 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the AlphaOmega Captcha & Anti-Spam Filter WordPress plugin developed by alphaomegaplugins. The flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin from unspecified initial releases through 3.3 inclusive. Published on 2025-03-24, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely without requiring authentication privileges. By tricking an authenticated user, such as a site administrator, into visiting a malicious webpage or clicking a crafted link, the attacker can force a state-changing request to the vulnerable plugin endpoint. This results in the storage of a malicious XSS payload on the target site, which executes in the context of other users' browsers due to the changed scope, enabling potential theft of session data or further site compromise with low impacts across confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/alphaomega-captcha-anti-spam/vulnerability/wordpress-alphaomega-captcha-anti-spam-filter-plugin-3-3-csrf-to-stored-xss-vulnerability?_s_id=cve.