CVE-2025-30620
Published: 24 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-30620 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Odoo Form Integrator WordPress plugin by coderscom, which allows Stored XSS. The issue affects all versions of the plugin from n/a through 1.1.0 and is associated with CWE-352.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) by tricking a user into interacting with a malicious request (UI:R), such as clicking a crafted link or submitting a forged form. Successful exploitation enables Stored XSS, allowing attackers to inject and persist malicious scripts, with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) but a changed scope (S:C), resulting in a CVSS v3.1 base score of 7.1.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-odoo-form-integrator/vulnerability/wordpress-wp-odoo-form-integrator-plugin-1-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to Stored XSS in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) for remote exploitation and T1059.007 (JavaScript) via persistent malicious script injection.