Custom Script Integration CVE-2025-30564
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in wpwox Custom Script Integration allows Stored XSS. This issue affects Custom Script Integration: from n/a through 2.1.
AnalysisAI
Stored Cross-Site Scripting can be injected into Custom Script Integration for WordPress via Cross-Site Request Forgery attack affecting versions up to and including 2.1. Attackers can trick authenticated administrators into submitting malicious script payloads that persist in the site database and execute in victims' browsers. EPSS score of 0.04% (12th percentile) indicates low automated exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis, though the vulnerability has been publicly documented by Patchstack.
Technical ContextAI
Custom Script Integration is a WordPress plugin that allows administrators to insert custom JavaScript, CSS, or HTML code into website headers or footers. The vulnerability chains CWE-352 (Cross-Site Request Forgery) with Stored XSS, meaning the plugin lacks CSRF tokens on forms that accept script input. This allows attackers to craft malicious web pages that, when visited by authenticated WordPress administrators, automatically submit script injection payloads to the plugin's settings endpoints. Unlike reflected XSS, the injected scripts are stored in the WordPress database and execute persistently for all site visitors, making this a higher-impact variant. The CSRF bypass removes the typical authentication barrier to XSS injection, as the victim administrator unknowingly provides their session credentials through normal browser behavior.
Affected ProductsAI
WordPress Custom Script Integration plugin versions from unknown initial release through version 2.1 are confirmed vulnerable according to Patchstack vulnerability database documentation. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/custom-script-integration/vulnerability/wordpress-custom-script-integration-2-1-cross-site-request-forgery-csrf-vulnerability provides technical details, though no CPE identifiers were provided in the source data to enable automated scanning tool configuration.
RemediationAI
Upgrade to Custom Script Integration version 2.2 or later if available, checking the WordPress plugin repository or vendor communications for patched releases. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/custom-script-integration/vulnerability/wordpress-custom-script-integration-2-1-cross-site-request-forgery-csrf-vulnerability should be consulted for specific patch availability and version recommendations, though the source data does not confirm whether version 2.2 or later has been released at time of analysis. If no patched version exists, implement compensating controls: disable the Custom Script Integration plugin entirely and migrate custom scripts to theme functions.php with proper input sanitization, or restrict plugin settings access to only super-administrators and enforce strict Content Security Policy headers to limit stored XSS impact. Train WordPress administrators to avoid browsing untrusted websites while authenticated to admin panels, though this administrative control is difficult to enforce consistently. Consider implementing Web Application Firewall rules to detect and block CSRF attacks targeting WordPress plugin endpoints, but note this adds latency and requires ongoing rule maintenance.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today