CVE-2025-30612 Overview
CVE-2025-30612 is a Cross-Site Request Forgery (CSRF) vulnerability in the mandegarweb Replace Default Words WordPress plugin. The flaw affects all plugin versions up to and including 1.3. An attacker can chain the CSRF weakness into a Stored Cross-Site Scripting (XSS) attack against a WordPress site. Successful exploitation requires an authenticated administrator to interact with an attacker-controlled link or page. The injected script then persists in the site database and executes in the browsers of subsequent visitors. The vulnerability is classified under CWE-352: Cross-Site Request Forgery.
Critical Impact
An attacker who tricks an administrator into visiting a crafted page can inject persistent JavaScript into the WordPress site, enabling session hijacking, content modification, or further compromise of site visitors.
Affected Products
- mandegarweb Replace Default Words plugin for WordPress
- All versions from n/a through 1.3 (inclusive)
- WordPress installations with the replace-default-words plugin enabled
Discovery Timeline
- 2025-03-24 - CVE-2025-30612 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-30612
Vulnerability Analysis
The Replace Default Words plugin exposes administrative actions that change plugin-managed content without verifying request authenticity. The plugin does not validate WordPress nonces or other anti-CSRF tokens on state-changing endpoints. An attacker hosts a malicious page containing a crafted form or request targeting the plugin's settings endpoint. When an authenticated administrator visits that page, the browser submits the request using the administrator's active session cookies. The submitted payload includes JavaScript that the plugin stores in the database without sufficient output encoding. The stored payload then executes in any browser that loads the affected page, transforming the CSRF flaw into a Stored XSS condition.
Root Cause
The root cause is missing CSRF protection on plugin write operations combined with inadequate sanitization of user-supplied input. The plugin trusts that requests reaching its handlers originate from legitimate administrative workflows. It does not call wp_verify_nonce() or check check_admin_referer() on the relevant action. Input destined for storage is not filtered through wp_kses() or equivalent sanitization routines.
Attack Vector
Exploitation proceeds over the network and requires user interaction from a privileged WordPress user. The attacker delivers a link to an administrator through phishing, a forum post, or a malicious advertisement. When the administrator loads the page, a hidden form auto-submits to the vulnerable WordPress endpoint. The plugin processes the forged request and persists the attacker's script payload. Every visitor who later loads the affected page executes the stored JavaScript in the site's origin. The EPSS score for this issue is 0.064% at the 19.7th percentile, indicating low observed exploitation activity at this time.
No verified public proof-of-concept code is available. See the Patchstack WordPress Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-30612
Indicators of Compromise
- Unexpected <script> tags, event handlers, or obfuscated JavaScript stored in Replace Default Words plugin settings or word-replacement entries.
- WordPress access logs showing POST requests to plugin admin endpoints with Referer headers pointing to external untrusted domains.
- New or modified administrator accounts created shortly after an admin browsing session.
- Outbound requests from site visitors' browsers to attacker-controlled domains after viewing pages rendered by the plugin.
Detection Strategies
- Inspect the wp_options table and any plugin-specific tables for entries containing HTML or JavaScript syntax that should not appear in word-replacement configuration.
- Review web server access logs for POST requests to /wp-admin/admin.php or /wp-admin/options.php referencing replace-default-words actions originating from cross-origin referrers.
- Use WordPress security scanners or file integrity monitoring to flag changes to plugin configuration between expected administrative sessions.
Monitoring Recommendations
- Enable WordPress audit logging to record plugin setting changes and administrator authentication events.
- Forward web server and WordPress logs to a centralized SIEM for correlation with referrer anomalies and unusual admin activity.
- Monitor outbound DNS and HTTP requests from end-user sessions for connections to unknown domains that may indicate stored XSS callbacks.
How to Mitigate CVE-2025-30612
Immediate Actions Required
- Deactivate the Replace Default Words plugin until a patched version is confirmed installed.
- Audit all plugin-managed content and remove any entries containing HTML tags or JavaScript.
- Force a password reset for all WordPress administrator accounts and rotate any API keys exposed through admin sessions.
- Review user accounts for unauthorized additions or role changes.
Patch Information
No fixed version has been published for the Replace Default Words plugin at the time of NVD entry. Administrators should monitor the Patchstack advisory and the WordPress plugin repository for an update beyond version 1.3.
Workarounds
- Remove the replace-default-words plugin directory from wp-content/plugins/ if a patch is not available.
- Restrict /wp-admin/ access by IP allowlist using web server or WAF rules to reduce CSRF exposure.
- Deploy a Content Security Policy that disallows inline scripts on rendered pages to limit Stored XSS impact.
- Require administrators to use separate browser profiles or sessions when performing WordPress administrative tasks.
# Configuration example: disable the plugin via WP-CLI and remove its files
wp plugin deactivate replace-default-words
wp plugin delete replace-default-words
# Optional: restrict wp-admin to a known IP range in nginx
# location ^~ /wp-admin/ {
# allow 203.0.113.0/24;
# deny all;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
