CVE-2025-30565 HIGH

CVE-2025-30565: WordPress banner-manager plugin <= 16.04.19 - CSRF to Stored XSS vulnerability

Vendor Karrikas
Product banner-manager
Weakness CWE-352 · CSRF
Published March 24, 2025
Last update April 28, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in karrikas banner-manager banner-manager allows Stored XSS.This issue affects banner-manager: from n/a through <= 16.04.19.

Explanation of Vulnerability in Simple Terms

02Summary

Banner Manager versions up to 16.04.19 contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unauthorized actions on behalf of an authenticated user. The vulnerability requires user interaction—typically clicking a malicious link or visiting a compromised page. An attacker can modify banner settings, delete banners, or alter site configuration without the user's knowledge or consent.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions (modify, delete, or create banners) on behalf of a logged-in site administrator.

Potential impact on your site

04Site Impact

Banners can be modified, deleted, or created without your authorization, potentially defacing your site or injecting malicious content.

Conditions required to exploit

05Prerequisites

An authenticated site administrator must visit a page controlled by the attacker or click a malicious link while logged in.

Key dates

06Disclosure timeline

March 24, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE