WordPress Admin Bar Improved
CVE-2025-30552
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Donald Gilbert WordPress Admin Bar Improved allows Stored XSS. This issue affects WordPress Admin Bar Improved: from n/a through 3.3.5.
AnalysisAI
Cross-Site Request Forgery (CSRF) enables stored cross-site scripting (XSS) in WordPress Admin Bar Improved plugin versions up to 3.3.5, allowing attackers to trick authenticated administrators into executing malicious code that persists in the WordPress admin interface. The vulnerability chains CSRF with stored XSS, enabling attackers to inject scripts that execute whenever any user accesses affected admin pages. EPSS exploitation probability is low (0.08%, 24th percentile), no active exploitation confirmed via CISA KEV, and Patchstack has documented this vulnerability with attack chain details.
Technical ContextAI
This vulnerability represents a CSRF-to-XSS attack chain (CWE-352) in a WordPress plugin that modifies the admin toolbar interface. The CSRF vulnerability exists due to insufficient anti-CSRF token validation on plugin settings or configuration endpoints. Successful CSRF exploitation allows attackers to modify plugin settings or inject data without proper authorization. The stored XSS component means malicious JavaScript payloads persist in the WordPress database and execute in admin contexts. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C indicates network-accessible exploitation with low complexity, requiring no privileges but needing user interaction (admin must visit attacker-controlled page or click malicious link). The changed scope (S:C) reflects XSS execution in victims' browser contexts beyond the vulnerable plugin itself, potentially affecting the entire WordPress admin interface and any logged-in administrator account.
Affected ProductsAI
WordPress Admin Bar Improved plugin versions from initial release through 3.3.5 are vulnerable, affecting WordPress installations running this plugin. The vulnerability exists in the plugin's settings management functionality where CSRF protection is insufficient, allowing the chained CSRF-to-stored-XSS attack. Patchstack documented this vulnerability at https://patchstack.com/database/wordpress/plugin/wordpress-admin-bar-improved/vulnerability/wordpress-wordpress-admin-bar-improved-plugin-3-3-5-csrf-to-stored-xss-vulnerability, which serves as the primary reference for affected version confirmation and technical details.
RemediationAI
Immediately update WordPress Admin Bar Improved plugin to version 3.3.6 or later if available, verifying the patched version through the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wordpress-admin-bar-improved/vulnerability/wordpress-wordpress-admin-bar-improved-plugin-3-3-5-csrf-to-stored-xss-vulnerability. If no patched version is confirmed available, deactivate and remove the plugin entirely until vendor releases a fix, replacing functionality with alternative admin bar customization plugins that have recent security updates. As compensating controls if plugin must remain active: implement WordPress-level CSRF protection via security plugins like Wordfence or Sucuri that add request validation layers, restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules (note: this limits legitimate remote admin access), enable Content Security Policy headers to mitigate XSS execution (may break legitimate admin scripts), and educate administrators to never visit external links while logged into WordPress admin (difficult to enforce, high user friction). Review WordPress admin user sessions and audit plugin settings for unauthorized modifications if exploitation is suspected.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today