CVE-2025-30787

CVE-2025-30787 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Eli EZ SQL Reports Shortcode Widget and DB Backup ( Elisqlreports). This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions from n/a through 5.25.08. Published on 2025-03-27, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, and scope change.

Attackers can exploit this vulnerability without authentication by crafting malicious web pages or links that trick authenticated users—such as WordPress administrators—into performing unintended actions via CSRF. Successful exploitation stores XSS payloads on the affected site, allowing script execution in the context of other users' browsers. This achieves low impacts on confidentiality, integrity, and availability within a changed security scope.

The Patchstack advisory provides details on this WordPress plugin vulnerability, including assessment and recommended actions for mitigation. Security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/elisqlreports/vulnerability/wordpress-ez-sql-reports-shortcode-widget-and-db-backup-plugin-5-25-08-csrf-to-stored-xss-vulnerability?_s_id=cve for patching guidance and verification steps.