Skip to main content

Custom Script Integration CVE-2025-30564

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-24 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in wpwox Custom Script Integration allows Stored XSS. This issue affects Custom Script Integration: from n/a through 2.1.

AnalysisAI

Stored Cross-Site Scripting can be injected into Custom Script Integration for WordPress via Cross-Site Request Forgery attack affecting versions up to and including 2.1. Attackers can trick authenticated administrators into submitting malicious script payloads that persist in the site database and execute in victims' browsers. EPSS score of 0.04% (12th percentile) indicates low automated exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis, though the vulnerability has been publicly documented by Patchstack.

Technical ContextAI

Custom Script Integration is a WordPress plugin that allows administrators to insert custom JavaScript, CSS, or HTML code into website headers or footers. The vulnerability chains CWE-352 (Cross-Site Request Forgery) with Stored XSS, meaning the plugin lacks CSRF tokens on forms that accept script input. This allows attackers to craft malicious web pages that, when visited by authenticated WordPress administrators, automatically submit script injection payloads to the plugin's settings endpoints. Unlike reflected XSS, the injected scripts are stored in the WordPress database and execute persistently for all site visitors, making this a higher-impact variant. The CSRF bypass removes the typical authentication barrier to XSS injection, as the victim administrator unknowingly provides their session credentials through normal browser behavior.

Affected ProductsAI

WordPress Custom Script Integration plugin versions from unknown initial release through version 2.1 are confirmed vulnerable according to Patchstack vulnerability database documentation. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/custom-script-integration/vulnerability/wordpress-custom-script-integration-2-1-cross-site-request-forgery-csrf-vulnerability provides technical details, though no CPE identifiers were provided in the source data to enable automated scanning tool configuration.

RemediationAI

Upgrade to Custom Script Integration version 2.2 or later if available, checking the WordPress plugin repository or vendor communications for patched releases. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/custom-script-integration/vulnerability/wordpress-custom-script-integration-2-1-cross-site-request-forgery-csrf-vulnerability should be consulted for specific patch availability and version recommendations, though the source data does not confirm whether version 2.2 or later has been released at time of analysis. If no patched version exists, implement compensating controls: disable the Custom Script Integration plugin entirely and migrate custom scripts to theme functions.php with proper input sanitization, or restrict plugin settings access to only super-administrators and enforce strict Content Security Policy headers to limit stored XSS impact. Train WordPress administrators to avoid browsing untrusted websites while authenticated to admin panels, though this administrative control is difficult to enforce consistently. Consider implementing Web Application Firewall rules to detect and block CSRF attacks targeting WordPress plugin endpoints, but note this adds latency and requires ongoing rule maintenance.

Share

CVE-2025-30564 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy