CVE-2025-30783

CVE-2025-30783 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WP Google Review Slider plugin (wp-google-places-review-slider) for WordPress, developed by jgwhite33. The flaw enables SQL Injection and affects all versions from n/a through 16.0 inclusive. It received a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, changed scope, high confidentiality impact, and low availability impact.

An attacker can exploit this vulnerability remotely without authentication by tricking a legitimate user—likely an authenticated WordPress administrator or editor—into performing a malicious action, such as visiting a crafted webpage or clicking a link. This triggers the CSRF-protected endpoint lacking proper token validation, leading to SQL Injection execution. Successful exploitation allows the attacker to extract sensitive data from the database, achieving high confidentiality impact, while causing limited availability disruption.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-google-places-review-slider/vulnerability/wordpress-wp-google-review-slider-plugin-16-0-csrf-to-sql-injection-vulnerability?_s_id=cve.