CVE-2025-30908
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in Shamalli Web Directory Free WordPress plugin allows attackers to inject malicious scripts via forged requests. When exploited, this can lead to stored cross-site scripting (XSS) attacks. This affects all WordPress sites running Web Directory Free plugin versions up to 1.7.6.
💻 Affected Systems
- Shamalli Web Directory Free WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject persistent malicious scripts that execute in users' browsers, potentially stealing session cookies, credentials, or performing actions as authenticated users, leading to complete site compromise.
Likely Case
Attackers create fake admin requests to inject malicious JavaScript into directory listings, which executes when users view those listings, potentially hijacking sessions or redirecting users to malicious sites.
If Mitigated
With proper CSRF protections and input validation, the attack would fail, preventing script injection and maintaining site integrity.
🎯 Exploit Status
Exploitation requires tricking authenticated users into clicking malicious links. The CSRF-to-XSS chain makes weaponization straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Web Directory Free' and click 'Update Now'. 4. Verify version is 1.7.7 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate web-directory-free
Implement CSRF Tokens
allAdd CSRF protection to plugin forms if custom modifications are possible
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block CSRF and XSS patterns
- Restrict plugin access to trusted users only and monitor for suspicious directory submissions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Web Directory Free version 1.7.6 or earlierCheck Version:
wp plugin get web-directory-free --field=versionVerify Fix Applied:
Verify plugin version is 1.7.7 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to web-directory-free admin endpoints
- Multiple directory submissions from single IP
- JavaScript injection patterns in directory content
Network Indicators:
- CSRF attack patterns in HTTP requests
- Unexpected redirects from directory pages
SIEM Query:
source="wordpress.log" AND ("web-directory-free" OR "wp-admin/admin-ajax.php") AND (POST OR "action=submit")