CVE-2025-30588
Published: 24 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-30588 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Map Contact by ryan_xantoo, which enables Stored XSS. The flaw affects all versions of the Map Contact plugin from unknown initial versions through 3.0.4 inclusive. It carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, and maps to CWE-352 (Cross-Site Request Forgery).
Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking authenticated users into interacting with a malicious request (UI:R), such as via a crafted link or form. Exploitation changes scope (S:C) and allows storage of XSS payloads, potentially leading to low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L).
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/map-contact/vulnerability/wordpress-map-contact-plugin-3-0-4-csrf-to-stored-xss-vulnerability?_s_id=cve details the vulnerability in the Map Contact plugin version 3.0.4.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to Stored XSS in public-facing WordPress plugin directly enables T1190 (exploit public-facing app) and is delivered via crafted malicious links (T1204.001).