Skip to main content

OTWthemes Widgetize Pages Light CVE-2025-30995

| EUVDEUVD-2025-17236 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-06-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17236
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light allows Stored XSS. This issue affects Widgetize Pages Light: from n/a through 3.0.

AnalysisAI

Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light plugin (versions up to 3.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to trick authenticated users into performing unintended actions, resulting in persistent XSS payload injection that affects all subsequent visitors. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world exploitability without requiring elevated privileges.

Technical ContextAI

The vulnerability stems from insufficient CSRF token validation (CWE-352) in the OTWthemes Widgetize Pages Light WordPress plugin, a page-building/widget management extension. WordPress plugins commonly handle widget configuration and page customization through POST/GET requests; this plugin fails to properly validate nonce tokens or implement same-site request restrictions. The combination of CSRF weakness with Stored XSS indicates the vulnerability allows attackers to inject malicious JavaScript code into page widgets or content that persists in the database and executes for all users, bypassing content sanitization. The affected product is identified as OTWthemes Widgetize Pages Light, affecting all versions from inception through version 3.0, suggesting the vulnerability exists across the entire documented release history.

RemediationAI

Immediate actions: (1) Update OTWthemes Widgetize Pages Light to version 3.1 or later if available (vendor should have released a patch addressing CSRF token validation and XSS sanitization). (2) If no patch is available, deactivate and remove the plugin pending vendor security release. (3) Implement WordPress security hardening: enable nonce verification via wp_verify_nonce(), use wp_kses_post() for output escaping, and implement Content Security Policy headers. (4) For administrators: audit recent widget changes in the plugin's configuration, check for suspicious JavaScript in widget content, and review user activity logs for unauthorized modifications. (5) Consider using Web Application Firewall (WAF) rules to block requests without valid CSRF tokens to OTWthemes admin pages. (6) Reset session cookies for all administrative users to invalidate any hijacked sessions if compromise is suspected.

Share

CVE-2025-30995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy