CVE-2025-30769
Published: 27 March 2025
Summary
CVE-2025-30769 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-30769 is a Cross-Site Request Forgery (CSRF) vulnerability in the WIP WooCarousel Lite WordPress plugin (wip-woocarousel-lite) by alexvtn that allows Stored XSS. The issue affects all versions from n/a through 1.1.7, as documented under CWE-352.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges required, though user interaction is necessary. Successful exploitation via CSRF enables the storage of XSS payloads, resulting in low impacts to confidentiality, integrity, and availability with a changed scope, per its CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The Patchstack advisory provides further details on this vulnerability at https://patchstack.com/database/Wordpress/Plugin/wip-woocarousel-lite/vulnerability/wordpress-wip-woocarousel-lite-plugin-1-1-7-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8396
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in alexvtn WIP WooCarousel Lite wip-woocarousel-lite allows Stored XSS.This issue affects WIP WooCarousel Lite: from n/a through <= 1.1.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote CSRF leading to Stored XSS in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications (T1190) and facilitating arbitrary JavaScript execution via the injected XSS payload (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces session authenticity mechanisms such as anti-CSRF tokens to directly prevent unauthorized forged requests that store XSS payloads.
Validates all user inputs to block malicious XSS payloads from being accepted and stored via the CSRF vector.
Filters outputs to web pages to neutralize any stored XSS payloads before they execute in users' browsers.