WordPres 同步微博 CVE-2025-30555
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in iiiryan WordPres 同步微博 allows Stored XSS. This issue affects WordPres 同步微博: from n/a through 1.1.0.
AnalysisAI
CSRF vulnerability in WordPres 同步微博 WordPress plugin enables stored XSS attacks against site administrators. Unauthenticated remote attackers can craft malicious pages that trick authenticated administrators into executing attacker-controlled JavaScript stored in the WordPress database, leading to account compromise, content manipulation, or site takeover. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified at time of analysis.
Technical ContextAI
This is a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352 that chains into stored XSS. The WordPres 同步微博 plugin (wp2wb) provides Weibo social media integration for WordPress. The CSRF flaw allows attackers to forge requests on behalf of authenticated administrators without proper anti-CSRF token validation. When successfully exploited, the forged request stores malicious JavaScript payloads in the WordPress database, which then executes in administrator browsers as stored XSS. This represents a classic two-stage attack where CSRF bypasses state-changing protections and XSS achieves code execution within the trust boundary of the WordPress admin panel.
Affected ProductsAI
The vulnerability affects the WordPres 同步微博 (wp2wb) WordPress plugin, specifically all versions up to and including version 1.1.0. The plugin provides WordPress-to-Weibo synchronization functionality for Chinese social media integration. According to Patchstack's advisory, the complete affected version range spans from the initial plugin release through version 1.1.0. WordPress site administrators using this plugin for Weibo content sharing should verify their installed version.
RemediationAI
Check the current installed version of WordPres 同步微博 plugin in the WordPress admin panel under Plugins. If running version 1.1.0 or earlier, immediately check the WordPress plugin repository or the developer's GitHub for updated versions beyond 1.1.0 that address this CSRF vulnerability. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp2wb/vulnerability/wordpress-wordpres-plugin-1-1-0-csrf-to-stored-xss-vulnerability confirms the vulnerability but does not specify a patched version number - contact the plugin developer iiiryan for fix availability. If no patched version is available, implement these compensating controls: disable the wp2wb plugin entirely if Weibo integration is not business-critical (eliminates attack surface but removes functionality), restrict WordPress admin access to trusted IP addresses only via .htaccess or firewall rules (reduces social engineering attack surface but impacts remote administration), and educate administrators to never visit untrusted websites while logged into WordPress admin (relies on user behavior, limited effectiveness). Monitor WordPress database for unexpected JavaScript content in plugin settings tables.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today