CVE-2025-30995

| EUVD-2025-17236 HIGH
2025-06-06 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17236
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.1

Tags

CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light allows Stored XSS. This issue affects Widgetize Pages Light: from n/a through 3.0.

Analysis

Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light plugin (versions up to 3.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to trick authenticated users into performing unintended actions, resulting in persistent XSS payload injection that affects all subsequent visitors. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world exploitability without requiring elevated privileges.

Technical Context

The vulnerability stems from insufficient CSRF token validation (CWE-352) in the OTWthemes Widgetize Pages Light WordPress plugin, a page-building/widget management extension. WordPress plugins commonly handle widget configuration and page customization through POST/GET requests; this plugin fails to properly validate nonce tokens or implement same-site request restrictions. The combination of CSRF weakness with Stored XSS indicates the vulnerability allows attackers to inject malicious JavaScript code into page widgets or content that persists in the database and executes for all users, bypassing content sanitization. The affected product is identified as OTWthemes Widgetize Pages Light, affecting all versions from inception through version 3.0, suggesting the vulnerability exists across the entire documented release history.

Affected Products

OTWthemes Widgetize Pages Light, versions 0.x through 3.0 (inclusive). CPE representation: cpe:2.7:a:otwhemes:widgetize_pages_light:*:*:*:*:*:wordpress:*:* (with version 3.0 and below). The plugin targets WordPress (4.x and later typically) and affects installations with the plugin active. Specific vulnerability impact on page widget configurations and custom widget storage mechanisms within WordPress's wp_options and post_meta tables.

Remediation

Immediate actions: (1) Update OTWthemes Widgetize Pages Light to version 3.1 or later if available (vendor should have released a patch addressing CSRF token validation and XSS sanitization). (2) If no patch is available, deactivate and remove the plugin pending vendor security release. (3) Implement WordPress security hardening: enable nonce verification via wp_verify_nonce(), use wp_kses_post() for output escaping, and implement Content Security Policy headers. (4) For administrators: audit recent widget changes in the plugin's configuration, check for suspicious JavaScript in widget content, and review user activity logs for unauthorized modifications. (5) Consider using Web Application Firewall (WAF) rules to block requests without valid CSRF tokens to OTWthemes admin pages. (6) Reset session cookies for all administrative users to invalidate any hijacked sessions if compromise is suspected.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-30995 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy