CVE-2025-30919
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Store Locator Widget plugin that can lead to Stored Cross-Site Scripting (XSS). Attackers can trick authenticated administrators into executing malicious actions, potentially injecting persistent scripts into websites. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress Store Locator Widget plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that steals administrator credentials, redirects users to malicious sites, or defaces the website for all visitors.
Likely Case
Attackers create fake admin interfaces or forms that trick administrators into executing actions that inject malicious scripts into the website.
If Mitigated
With proper CSRF tokens and input validation, the attack vector is eliminated and no malicious scripts can be stored.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into visiting a malicious page while logged into WordPress. The CSRF leads to stored XSS payload execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 20200131
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Store Locator Widget'. 4. If update is available, click 'Update Now'. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDeactivate the plugin until patched to prevent exploitation
CSRF Protection Implementation
allAdd custom CSRF tokens to plugin forms if source code access is available
🧯 If You Can't Patch
- Remove the Store Locator Widget plugin completely from the WordPress installation
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Store Locator Widget version. If version is 20200131 or earlier, you are vulnerable.Check Version:
No direct command - check via WordPress admin interface or examine wp-content/plugins/store-locator-widget/readme.txt fileVerify Fix Applied:
After updating, verify plugin version shows a date later than 20200131 in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to store-locator-widget admin endpoints without referrer headers
- JavaScript injection patterns in plugin settings or content
Network Indicators:
- CSRF attack patterns with malicious payloads targeting plugin admin endpoints
SIEM Query:
web_requests WHERE (uri CONTAINS '/wp-admin/admin-ajax.php' OR uri CONTAINS 'store-locator-widget') AND (method = 'POST') AND (referrer IS NULL OR referrer NOT CONTAINS own_domain)