Skip to main content

CallPhone'r WordPress Plugin CVE-2025-30550

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-24 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:19 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in WPShop.ru CallPhone'r allows Stored XSS. This issue affects CallPhone'r: from n/a through 1.1.1.

AnalysisAI

CSRF vulnerability in CallPhone'r WordPress plugin through version 1.1.1 enables attackers to trick authenticated administrators into executing malicious requests that inject persistent XSS payloads into the application. This chained attack bypasses CSRF protections, allowing stored cross-site scripting that executes in victim browsers. The vulnerability requires user interaction (tricking an admin to click a malicious link) but needs no authentication from the attacker's perspective. EPSS probability of 0.08% (24th percentile) indicates low observed exploitation in the wild, with no CISA KEV listing or public POC identified at time of analysis.

Technical ContextAI

This is a CSRF vulnerability (CWE-352) that chains into stored XSS, affecting the CallPhone'r WordPress plugin up to version 1.1.1. CSRF flaws occur when an application fails to validate that state-changing requests originate from authenticated users rather than malicious third-party sites. In WordPress plugins, this typically manifests as missing or improperly implemented nonce verification on admin-accessible forms or AJAX endpoints. The CSRF allows an attacker to forge requests that inject malicious JavaScript payloads, which are then permanently stored in the database and executed when other users (including administrators) view affected pages. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, consistent with XSS executing in victim browser contexts separate from the plugin's backend security boundary.

Affected ProductsAI

The vulnerability affects WPShop.ru CallPhone'r WordPress plugin versions from the earliest available release through version 1.1.1. Specific version range details beyond 'through 1.1.1' are not provided in available data, suggesting all historical versions may be vulnerable. The product is distributed through WordPress plugin repositories and is developed by WPShop.ru. According to Patchstack vulnerability database references, version 1.1.1 is confirmed vulnerable. Organizations should check installed plugin versions in WordPress admin dashboards under Plugins section to identify CallPhone'r installations at version 1.1.1 or earlier.

RemediationAI

Primary remediation is to upgrade CallPhone'r plugin to a version newer than 1.1.1 if a patched release exists; however, no specific fixed version number is confirmed in available advisory data from Patchstack references. Site administrators should check the WordPress plugin repository or contact WPShop.ru directly for patch availability. If no patched version is available, implement compensating controls: disable the CallPhone'r plugin entirely if not business-critical, restrict WordPress admin panel access to trusted IP ranges via .htaccess or firewall rules to reduce CSRF attack surface, implement Content Security Policy headers to mitigate stored XSS execution (set script-src directives to block inline scripts and only allow trusted domains), and train administrators to never click external links while authenticated to WordPress admin panels. Note that CSP implementation may break legitimate plugin functionality if it relies on inline JavaScript, requiring testing before production deployment. Monitor WordPress admin activity logs for unexpected configuration changes that might indicate successful CSRF exploitation.

Share

CVE-2025-30550 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy