CVE-2025-30565
Published: 24 March 2025
Summary
CVE-2025-30565 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-30565 is a Cross-Site Request Forgery (CSRF) vulnerability in the karrikas banner-manager WordPress plugin that allows Stored XSS. This issue affects the banner-manager plugin from unknown initial versions through 16.04.19, as documented with CWE-352 and a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity, though it requires user interaction such as clicking a malicious link. Exploitation via CSRF tricks authenticated users into submitting unintended requests, enabling the storage of XSS payloads that execute in the context of other users viewing affected pages, leading to low-level impacts on confidentiality, integrity, and availability with changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/banner-manager/vulnerability/wordpress-banner-manager-plugin-16-04-19-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-Stored XSS issue in banner-manager version 16.04.19. Security practitioners should consult the advisory for recommended mitigations, such as plugin updates if available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7953
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in karrikas banner-manager banner-manager allows Stored XSS.This issue affects banner-manager: from n/a through <= 16.04.19.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
This is a vulnerability in a public-facing WordPress plugin that can be directly exploited remotely via CSRF to achieve stored XSS, matching the definition of exploiting public-facing applications for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the CSRF-to-Stored XSS flaw in the banner-manager plugin up to version 16.04.19.
Prevents CSRF exploitation by enforcing session authenticity mechanisms such as anti-CSRF tokens to validate requests tricked on authenticated users.
Blocks storage of XSS payloads submitted via CSRF by validating and sanitizing inputs to banner management functions in the WordPress plugin.