Skip to main content

WordPress Admin Bar Improved CVE-2025-30552

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-24 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:18 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Donald Gilbert WordPress Admin Bar Improved allows Stored XSS. This issue affects WordPress Admin Bar Improved: from n/a through 3.3.5.

AnalysisAI

Cross-Site Request Forgery (CSRF) enables stored cross-site scripting (XSS) in WordPress Admin Bar Improved plugin versions up to 3.3.5, allowing attackers to trick authenticated administrators into executing malicious code that persists in the WordPress admin interface. The vulnerability chains CSRF with stored XSS, enabling attackers to inject scripts that execute whenever any user accesses affected admin pages. EPSS exploitation probability is low (0.08%, 24th percentile), no active exploitation confirmed via CISA KEV, and Patchstack has documented this vulnerability with attack chain details.

Technical ContextAI

This vulnerability represents a CSRF-to-XSS attack chain (CWE-352) in a WordPress plugin that modifies the admin toolbar interface. The CSRF vulnerability exists due to insufficient anti-CSRF token validation on plugin settings or configuration endpoints. Successful CSRF exploitation allows attackers to modify plugin settings or inject data without proper authorization. The stored XSS component means malicious JavaScript payloads persist in the WordPress database and execute in admin contexts. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C indicates network-accessible exploitation with low complexity, requiring no privileges but needing user interaction (admin must visit attacker-controlled page or click malicious link). The changed scope (S:C) reflects XSS execution in victims' browser contexts beyond the vulnerable plugin itself, potentially affecting the entire WordPress admin interface and any logged-in administrator account.

Affected ProductsAI

WordPress Admin Bar Improved plugin versions from initial release through 3.3.5 are vulnerable, affecting WordPress installations running this plugin. The vulnerability exists in the plugin's settings management functionality where CSRF protection is insufficient, allowing the chained CSRF-to-stored-XSS attack. Patchstack documented this vulnerability at https://patchstack.com/database/wordpress/plugin/wordpress-admin-bar-improved/vulnerability/wordpress-wordpress-admin-bar-improved-plugin-3-3-5-csrf-to-stored-xss-vulnerability, which serves as the primary reference for affected version confirmation and technical details.

RemediationAI

Immediately update WordPress Admin Bar Improved plugin to version 3.3.6 or later if available, verifying the patched version through the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wordpress-admin-bar-improved/vulnerability/wordpress-wordpress-admin-bar-improved-plugin-3-3-5-csrf-to-stored-xss-vulnerability. If no patched version is confirmed available, deactivate and remove the plugin entirely until vendor releases a fix, replacing functionality with alternative admin bar customization plugins that have recent security updates. As compensating controls if plugin must remain active: implement WordPress-level CSRF protection via security plugins like Wordfence or Sucuri that add request validation layers, restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules (note: this limits legitimate remote admin access), enable Content Security Policy headers to mitigate XSS execution (may break legitimate admin scripts), and educate administrators to never visit external links while logged into WordPress admin (difficult to enforce, high user friction). Review WordPress admin user sessions and audit plugin settings for unauthorized modifications if exploitation is suspected.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-30552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy