CVE-2025-30857
Published: 27 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-30857 is a Cross-Site Request Forgery (CSRF) vulnerability in the PressMaximum Currency Switcher for WooCommerce plugin (currency-switcher-for-woocommerce) that allows Stored XSS. The issue affects the plugin from unspecified initial versions through 0.0.7.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no privileges required, though it demands user interaction such as clicking a malicious link or performing a forged request. Exploitation enables the storage of XSS payloads, potentially leading to script execution in the browsers of site users who view affected content, with low impacts on confidentiality, integrity, and availability under a changed scope (CVSS 7.1; CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The Patchstack advisory provides further details on this vulnerability, including vulnerability assessment for the WordPress Currency Switcher for WooCommerce plugin version 0.0.7, available at https://patchstack.com/database/Wordpress/Plugin/currency-switcher-for-woocommerce/vulnerability/wordpress-currency-switcher-for-woocommerce-plugin-0-0-7-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin enables remote exploitation of web applications (T1190) and facilitates JavaScript execution via injected payloads in user browsers (T1059.007).