Skip to main content

WordPres 同步微博 CVE-2025-30555

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-24 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:17 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in iiiryan WordPres 同步微博 allows Stored XSS. This issue affects WordPres 同步微博: from n/a through 1.1.0.

AnalysisAI

CSRF vulnerability in WordPres 同步微博 WordPress plugin enables stored XSS attacks against site administrators. Unauthenticated remote attackers can craft malicious pages that trick authenticated administrators into executing attacker-controlled JavaScript stored in the WordPress database, leading to account compromise, content manipulation, or site takeover. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified at time of analysis.

Technical ContextAI

This is a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352 that chains into stored XSS. The WordPres 同步微博 plugin (wp2wb) provides Weibo social media integration for WordPress. The CSRF flaw allows attackers to forge requests on behalf of authenticated administrators without proper anti-CSRF token validation. When successfully exploited, the forged request stores malicious JavaScript payloads in the WordPress database, which then executes in administrator browsers as stored XSS. This represents a classic two-stage attack where CSRF bypasses state-changing protections and XSS achieves code execution within the trust boundary of the WordPress admin panel.

Affected ProductsAI

The vulnerability affects the WordPres 同步微博 (wp2wb) WordPress plugin, specifically all versions up to and including version 1.1.0. The plugin provides WordPress-to-Weibo synchronization functionality for Chinese social media integration. According to Patchstack's advisory, the complete affected version range spans from the initial plugin release through version 1.1.0. WordPress site administrators using this plugin for Weibo content sharing should verify their installed version.

RemediationAI

Check the current installed version of WordPres 同步微博 plugin in the WordPress admin panel under Plugins. If running version 1.1.0 or earlier, immediately check the WordPress plugin repository or the developer's GitHub for updated versions beyond 1.1.0 that address this CSRF vulnerability. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp2wb/vulnerability/wordpress-wordpres-plugin-1-1-0-csrf-to-stored-xss-vulnerability confirms the vulnerability but does not specify a patched version number - contact the plugin developer iiiryan for fix availability. If no patched version is available, implement these compensating controls: disable the wp2wb plugin entirely if Weibo integration is not business-critical (eliminates attack surface but removes functionality), restrict WordPress admin access to trusted IP addresses only via .htaccess or firewall rules (reduces social engineering attack surface but impacts remote administration), and educate administrators to never visit untrusted websites while logged into WordPress admin (relies on user behavior, limited effectiveness). Monitor WordPress database for unexpected JavaScript content in plugin settings tables.

Share

CVE-2025-30555 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy