Skip to main content

Banner Manager CVE-2025-30565

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-24 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in karrikas banner-manager allows Stored XSS. This issue affects banner-manager: from n/a through 16.04.19.

AnalysisAI

Stored cross-site scripting in Banner Manager WordPress plugin through version 16.04.19 is achievable via CSRF attack vector, allowing attackers to inject malicious scripts that execute in victim administrators' browsers. The vulnerability chains a CSRF weakness (CWE-352) with XSS payload injection, enabling attackers to compromise admin sessions by tricking authenticated users into visiting attacker-controlled pages. No public exploit identified at time of analysis, with EPSS indicating 0.04% exploitation probability (12th percentile), suggesting low observed threat actor interest despite the cross-scope impact and network attack vector.

Technical ContextAI

The vulnerability affects the Banner Manager WordPress plugin, a banner/advertisement management component for WordPress sites. The root cause is a CSRF flaw (CWE-352) in administrative functionality that lacks proper nonce validation or request origin verification. This CSRF weakness serves as the delivery mechanism for stored XSS payloads - attackers craft malicious forms that, when submitted by authenticated administrators, inject persistent JavaScript into the banner management database. The CVSS scope change (S:C) indicates the injected scripts execute in victim browsers beyond the vulnerable plugin's security context, potentially accessing WordPress admin session cookies, CSRF tokens, or performing actions across the WordPress installation. WordPress plugins commonly implement custom administrative interfaces that may bypass WordPress core CSRF protections if developers do not properly utilize wp_nonce_field() and check_admin_referer() functions.

Affected ProductsAI

WordPress Banner Manager plugin (karrikas/banner-manager) versions through 16.04.19 are confirmed vulnerable per Patchstack advisory. The CPE and specific version range are not provided in NVD data, but Patchstack database identifies all versions up to and including 16.04.19 as affected. The plugin appears unmaintained since April 2019 based on the version timestamp format. WordPress administrators can verify installed version via Plugins menu in wp-admin dashboard. Patchstack vulnerability database entry available at https://patchstack.com/database/wordpress/plugin/banner-manager/vulnerability/wordpress-banner-manager-plugin-16-04-19-csrf-to-stored-xss-vulnerability.

RemediationAI

No vendor-released patch identified at time of analysis - the plugin has not been updated since version 16.04.19 in 2019, indicating abandonment by the developer (karrikas). Primary remediation is immediate removal of Banner Manager plugin and migration to actively maintained alternatives such as Advanced Ads, Ad Inserter, or AdSanity, all of which receive regular security updates. If business requirements mandate continued use, implement strict compensating controls: restrict WordPress admin access to trusted IP ranges via .htaccess or WAF rules, enforce multi-factor authentication for all administrator accounts via plugins like Wordfence Login Security or Duo Two-Factor Authentication, deploy Content Security Policy headers to mitigate XSS impact (note: CSP effectiveness varies in WordPress admin context), and train administrators to never click external links while logged into wp-admin. These mitigations reduce but do not eliminate risk - WAF rules may break legitimate remote admin access, and CSP can interfere with WordPress admin functionality requiring careful tuning. Long-term remediation requires plugin replacement, as unmaintained code presents ongoing security debt beyond this single CVE.

Share

CVE-2025-30565 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy