ANAC XML Render CVE-2025-30558
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in EnzoCostantini55 ANAC XML Render allows Stored XSS. This issue affects ANAC XML Render: from n/a through 1.5.7.
AnalysisAI
Cross-site request forgery in ANAC XML Render WordPress plugin versions through 1.5.7 enables stored cross-site scripting attacks. Remote unauthenticated attackers can trick authenticated administrators into executing malicious requests that inject persistent JavaScript payloads into the site. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
ANAC XML Render is a WordPress plugin for rendering Italian public procurement XML data (ANAC - Autorità Nazionale Anticorruzione format). The vulnerability combines two weakness classes: CWE-352 Cross-Site Request Forgery allows attackers to forge authenticated requests, which in this case leads to stored XSS. The CSRF flaw bypasses same-origin protections on administrative functions, while the stored XSS component persists malicious JavaScript in the database where it executes in victims' browsers. The CVSS scope change (S:C) indicates the XSS can affect resources beyond the vulnerable component's security authority, typical of stored XSS that executes in other users' contexts. WordPress plugins commonly suffer CSRF when administrative actions lack nonce validation and stored XSS when database inputs are not properly sanitized before output rendering.
Affected ProductsAI
WordPress plugin ANAC XML Render versions from earliest release through 1.5.7 are affected. The vulnerability was reported by audit@patchstack.com and documented in Patchstack's vulnerability database. No CPE identifier is provided in the available data. Organizations running this plugin on WordPress installations should verify their version through the WordPress admin dashboard under Plugins.
RemediationAI
Upgrade ANAC XML Render to version 1.5.8 or later if available, checking the WordPress plugin repository or developer's GitHub (EnzoCostantini55) for release information. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/anac-xml-render/vulnerability/wordpress-anac-xml-render-plugin-1-5-7-csrf-to-stored-xss-vulnerability should be consulted for specific patch status. If no patched version exists, deactivate and remove the plugin if not business-critical for Italian ANAC procurement data rendering. Compensating controls include restricting WordPress admin access to trusted networks via IP allowlisting and enabling two-factor authentication to reduce CSRF attack surface, though these do not eliminate the vulnerability. Content Security Policy headers can mitigate XSS execution but may break legitimate plugin functionality. Network-level blocking of the plugin's administrative endpoints is impractical as they share WordPress's standard admin paths.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today