CVE-2025-30528
Published: 24 March 2025
Summary
CVE-2025-30528 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-30528 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Awesome Logos WordPress plugin developed by wpshopee. This flaw enables SQL Injection and affects all versions of the plugin from n/a through 1.2 inclusive. The vulnerability was published on 2025-03-24 and carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant confidentiality impact.
An unauthenticated remote attacker can exploit this CSRF-to-SQL Injection vulnerability over the network. By tricking a victim into performing a malicious request—potentially without direct user interaction as scored—they can achieve high-impact unauthorized data disclosure through SQL queries, alongside low availability disruption. The scoped nature of the attack amplifies its potential within the affected context.
Mitigation guidance is detailed in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/awesome-logos/vulnerability/wordpress-awesome-logos-plugin-1-2-csrf-to-sql-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7985
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in wpshopee Awesome Logos awesome-logos allows SQL Injection.This issue affects Awesome Logos: from n/a through <= 1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF-to-SQLi vulnerability in public-facing WordPress plugin directly enables T1190 Exploit Public-Facing Application for initial access and data disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation including patching the specific CSRF-to-SQL Injection vulnerability in the Awesome Logos WordPress plugin.
SC-23 enforces session authenticity mechanisms such as anti-CSRF tokens to prevent unauthorized forged requests that trigger the SQL Injection.
SI-10 validates information inputs to detect and reject malicious SQL payloads delivered via the CSRF vector.