Cyber Posture

CVE-2025-30621

High

Published: 24 March 2025

Published
24 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0006 19.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2025-30621 is a Cross-Site Request Forgery (CSRF) vulnerability in the kornelly Translator WordPress plugin that allows Stored XSS. This issue affects Translator versions from n/a through <= 0.3.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction, with changed scope and low impacts to confidentiality, integrity, and availability. Unauthenticated attackers can exploit it by tricking authenticated users into submitting malicious requests, leading to the storage of XSS payloads that execute in the context of other users viewing affected content.

The Patchstack advisory provides details on this CSRF-to-Stored XSS vulnerability in the WordPress Translator plugin version 0.3; practitioners should consult https://patchstack.com/database/Wordpress/Plugin/translator/vulnerability/wordpress-translator-plugin-0-3-csrf-to-stored-xss-vulnerability?_s_id=cve for mitigation guidance and patch information.

Details

CWE(s)
CWE-352

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing WordPress plugin enables T1190; stored XSS directly facilitates arbitrary JavaScript execution via T1059.007.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

References