CVE-2025-30603

CVE-2025-30603 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the DEJAN CopyLink (copy-link) WordPress plugin that enables Stored Cross-Site Scripting (XSS). The issue affects all versions of the plugin from its initial release through 1.1 inclusive. It received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), highlighting its network accessibility and potential for scope change despite requiring user interaction.

An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), but it requires user interaction (UI:R), such as tricking an authenticated user into visiting a malicious site or clicking a forged link. Exploitation via CSRF allows the attacker to induce the storage of malicious XSS payloads, potentially leading to low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) within a changed security scope (S:C), such as session hijacking or further site compromise for affected users.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/copy-link/vulnerability/wordpress-copylink-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve) documents this CSRF-to-Stored XSS issue specifically in CopyLink version 1.1. Practitioners should consult the advisory for detailed mitigation steps, including plugin updates beyond version 1.1 where available, input validation, or CSRF token implementation.