CVE-2025-30857
Published: 27 March 2025
Summary
CVE-2025-30857 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-30857 is a Cross-Site Request Forgery (CSRF) vulnerability in the PressMaximum Currency Switcher for WooCommerce plugin (currency-switcher-for-woocommerce) that allows Stored XSS. The issue affects the plugin from unspecified initial versions through 0.0.7.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no privileges required, though it demands user interaction such as clicking a malicious link or performing a forged request. Exploitation enables the storage of XSS payloads, potentially leading to script execution in the browsers of site users who view affected content, with low impacts on confidentiality, integrity, and availability under a changed scope (CVSS 7.1; CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The Patchstack advisory provides further details on this vulnerability, including vulnerability assessment for the WordPress Currency Switcher for WooCommerce plugin version 0.0.7, available at https://patchstack.com/database/Wordpress/Plugin/currency-switcher-for-woocommerce/vulnerability/wordpress-currency-switcher-for-woocommerce-plugin-0-0-7-csrf-to-stored-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8344
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in PressMaximum Currency Switcher for WooCommerce currency-switcher-for-woocommerce allows Stored XSS.This issue affects Currency Switcher for WooCommerce: from n/a through <= 0.0.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin enables remote exploitation of web applications (T1190) and facilitates JavaScript execution via injected payloads in user browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the CSRF-to-stored XSS flaw in the plugin by identifying, reporting, and applying patches in a timely manner.
Enforces session authenticity mechanisms such as CSRF tokens to prevent unauthenticated forged requests from storing XSS payloads.
Validates and sanitizes inputs to block malicious XSS payloads from being stored via the CSRF vulnerability.