Skip to main content

ANAC XML Render CVE-2025-30558

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-24 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:16 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in EnzoCostantini55 ANAC XML Render allows Stored XSS. This issue affects ANAC XML Render: from n/a through 1.5.7.

AnalysisAI

Cross-site request forgery in ANAC XML Render WordPress plugin versions through 1.5.7 enables stored cross-site scripting attacks. Remote unauthenticated attackers can trick authenticated administrators into executing malicious requests that inject persistent JavaScript payloads into the site. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

ANAC XML Render is a WordPress plugin for rendering Italian public procurement XML data (ANAC - Autorità Nazionale Anticorruzione format). The vulnerability combines two weakness classes: CWE-352 Cross-Site Request Forgery allows attackers to forge authenticated requests, which in this case leads to stored XSS. The CSRF flaw bypasses same-origin protections on administrative functions, while the stored XSS component persists malicious JavaScript in the database where it executes in victims' browsers. The CVSS scope change (S:C) indicates the XSS can affect resources beyond the vulnerable component's security authority, typical of stored XSS that executes in other users' contexts. WordPress plugins commonly suffer CSRF when administrative actions lack nonce validation and stored XSS when database inputs are not properly sanitized before output rendering.

Affected ProductsAI

WordPress plugin ANAC XML Render versions from earliest release through 1.5.7 are affected. The vulnerability was reported by audit@patchstack.com and documented in Patchstack's vulnerability database. No CPE identifier is provided in the available data. Organizations running this plugin on WordPress installations should verify their version through the WordPress admin dashboard under Plugins.

RemediationAI

Upgrade ANAC XML Render to version 1.5.8 or later if available, checking the WordPress plugin repository or developer's GitHub (EnzoCostantini55) for release information. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/anac-xml-render/vulnerability/wordpress-anac-xml-render-plugin-1-5-7-csrf-to-stored-xss-vulnerability should be consulted for specific patch status. If no patched version exists, deactivate and remove the plugin if not business-critical for Italian ANAC procurement data rendering. Compensating controls include restricting WordPress admin access to trusted networks via IP allowlisting and enabling two-factor authentication to reduce CSRF attack surface, though these do not eliminate the vulnerability. Content Security Policy headers can mitigate XSS execution but may break legitimate plugin functionality. Network-level blocking of the plugin's administrative endpoints is impractical as they share WordPress's standard admin paths.

Share

CVE-2025-30558 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy