Cyber Resilience

CVE-2025-30565

High

Published: 24 March 2025

Published
24 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0008 24.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30565 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-30565 is a Cross-Site Request Forgery (CSRF) vulnerability in the karrikas banner-manager WordPress plugin that allows Stored XSS. This issue affects the banner-manager plugin from unknown initial versions through 16.04.19, as documented with CWE-352 and a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, though it requires user interaction such as clicking a malicious link. Exploitation via CSRF tricks authenticated users into submitting unintended requests, enabling the storage of XSS payloads that execute in the context of other users viewing affected pages, leading to low-level impacts on confidentiality, integrity, and availability with changed scope.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/banner-manager/vulnerability/wordpress-banner-manager-plugin-16-04-19-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-Stored XSS issue in banner-manager version 16.04.19. Security practitioners should consult the advisory for recommended mitigations, such as plugin updates if available.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in karrikas banner-manager banner-manager allows Stored XSS.This issue affects banner-manager: from n/a through <= 16.04.19.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

This is a vulnerability in a public-facing WordPress plugin that can be directly exploited remotely via CSRF to achieve stored XSS, matching the definition of exploiting public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the CSRF-to-Stored XSS flaw in the banner-manager plugin up to version 16.04.19.

prevent

Prevents CSRF exploitation by enforcing session authenticity mechanisms such as anti-CSRF tokens to validate requests tricked on authenticated users.

prevent

Blocks storage of XSS payloads submitted via CSRF by validating and sanitizing inputs to banner management functions in the WordPress plugin.

References