CVE-2025-30787
Published: 27 March 2025
Summary
CVE-2025-30787 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-30787 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Eli EZ SQL Reports Shortcode Widget and DB Backup ( Elisqlreports). This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions from n/a through 5.25.08. Published on 2025-03-27, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, and scope change.
Attackers can exploit this vulnerability without authentication by crafting malicious web pages or links that trick authenticated users—such as WordPress administrators—into performing unintended actions via CSRF. Successful exploitation stores XSS payloads on the affected site, allowing script execution in the context of other users' browsers. This achieves low impacts on confidentiality, integrity, and availability within a changed security scope.
The Patchstack advisory provides details on this WordPress plugin vulnerability, including assessment and recommended actions for mitigation. Security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/elisqlreports/vulnerability/wordpress-ez-sql-reports-shortcode-widget-and-db-backup-plugin-5-25-08-csrf-to-stored-xss-vulnerability?_s_id=cve for patching guidance and verification steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8369
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through <= 5.25.08.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing WordPress plugin that is exploited via crafted malicious links or pages to trick authenticated users into storing XSS payloads.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the specific CSRF-to-stored XSS vulnerability by identifying, patching, or removing the affected plugin versions.
Session authenticity mechanisms, such as CSRF tokens, prevent unauthorized cross-site requests that trick users into storing XSS payloads.
Information input validation sanitizes or rejects malicious XSS payloads submitted via CSRF, preventing their storage in the plugin.