CVE-2025-30995
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress Widgetize Pages Light plugin (up to version 3.0) that can lead to Stored Cross-Site Scripting (XSS) attacks. An attacker can trick authenticated users with higher privileges into performing unauthorized actions, which results in malicious scripts being stored and executed on the site. The vulnerability is categorized under OWASP Top 10 A1: Broken Access Control and does not require authentication to exploit. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts on your website by exploiting authenticated users, potentially leading to data theft, session hijacking, defacement, or other malicious activities. Since the plugin is abandoned and unpatched, the risk remains unless the plugin is removed or a virtual patch is applied. The CVSS score of 7.1 indicates a notable risk that could impact the security and integrity of your site. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a Cross-Site Request Forgery (CSRF) leading to Stored Cross Site Scripting (XSS) in the Widgetize Pages Light WordPress plugin up to version 3.0. Detection involves checking if the vulnerable plugin is installed and active on your WordPress site. Since the vulnerability requires no authentication to exploit, monitoring for unusual or unauthorized actions performed by authenticated users could indicate exploitation attempts. Specific commands are not provided in the resources, but you can check the plugin version via WordPress CLI with: `wp plugin list` and look for 'widgetize-pages-light' version 3.0 or below. Additionally, monitoring HTTP requests for suspicious CSRF attempts or stored XSS payloads in plugin-related pages may help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing and replacing the Widgetize Pages Light plugin, as no official fix or patch is available and the plugin is abandoned. Simply deactivating the plugin is insufficient unless a virtual patch (vPatch) is applied. Patchstack offers vPatching services that automatically protect affected sites without official patches. Therefore, users are strongly advised to either remove and replace the plugin with a secure alternative or apply a vPatch from Patchstack to mitigate the vulnerability. [1]