CVE-2025-30615

CVE-2025-30615 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WP e-Commerce Style Email WordPress plugin developed by Jacob Schwartz. This flaw allows code injection and affects all versions of the plugin from its initial release through 0.6.2. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for high impacts across confidentiality, integrity, and availability with scope change.

Unauthenticated attackers (PR:N) can exploit the CSRF vulnerability remotely (AV:N) by tricking authenticated users into interacting with a malicious site (UI:R), such as clicking a forged link or loading a malicious page. Low complexity (AC:L) enables this without advanced skills. Successful exploitation allows code injection, escalating to remote code execution on the affected WordPress server, with changed scope (S:C) enabling high-impact compromise (C:H/I:H/A:H).

Patchstack provides details on the vulnerability, including analysis of the CSRF-to-remote-code-execution chain, in their advisory at https://patchstack.com/database/Wordpress/Plugin/wp-e-commerce-style-email/vulnerability/wordpress-wp-e-commerce-style-email-plugin-0-6-2-csrf-to-remote-code-execution-vulnerability?_s_id=cve.