CVE-2025-30608
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30608 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin WordPress SQL Backup (also referred to as Anthony WordPress SQL Backup) that allows Stored XSS. Published on 2025-03-24, this issue affects the plugin from unknown initial versions through version 3.5.2 inclusive. The vulnerability is classified under CWE-352 and carries a CVSS v3.1 base score of 7.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.
The vulnerability can be exploited by unauthenticated attackers accessible over the network, requiring low attack complexity and user interaction, such as tricking a victim into performing a state-changing action via a forged request. Exploitation changes the scope and enables stored XSS, resulting in low impacts to confidentiality, integrity, and availability.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wordpress-sql-backup/vulnerability/wordpress-wordpress-sql-backup-3-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve, provide details on the vulnerability in version 3.5.2.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF vulnerability in a publicly accessible WordPress plugin that enables stored XSS attacks, directly mapping to exploitation of public-facing applications.