CVE-2025-30621 Overview
CVE-2025-30621 is a Cross-Site Request Forgery (CSRF) vulnerability in the kornelly Translator WordPress plugin that enables attackers to perform Stored Cross-Site Scripting (XSS) attacks. This chained vulnerability allows malicious actors to trick authenticated administrators into unknowingly executing state-changing requests, which subsequently inject persistent malicious scripts into the WordPress site.
Critical Impact
Attackers can leverage CSRF to inject stored XSS payloads, potentially compromising WordPress administrator sessions, stealing credentials, defacing websites, or redirecting visitors to malicious sites.
Affected Products
- kornelly Translator WordPress Plugin version 0.3 and earlier
- All WordPress installations running the vulnerable Translator plugin versions
Discovery Timeline
- 2025-03-24 - CVE-2025-30621 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-30621
Vulnerability Analysis
This vulnerability represents a dangerous combination of two web application security flaws: Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS). The Translator plugin lacks proper CSRF token validation on forms that handle user input, which is then stored and rendered without adequate output sanitization.
The attack chain begins when an authenticated WordPress administrator visits a malicious page crafted by an attacker. This page contains a hidden form that automatically submits a request to the vulnerable Translator plugin endpoint. Because the plugin does not verify the authenticity of the request through CSRF tokens (nonces in WordPress terminology), the malicious request is processed as if it were legitimate.
The payload submitted through this CSRF attack contains JavaScript code that gets stored in the WordPress database. When this data is subsequently displayed to other users or administrators, the malicious script executes in their browser context, enabling session hijacking, credential theft, or further malicious activities.
Root Cause
The root cause of this vulnerability is twofold. First, the Translator plugin fails to implement WordPress nonce verification on state-changing form submissions, violating CWE-352 (Cross-Site Request Forgery). Second, the plugin does not properly sanitize and escape user-supplied input before storing it in the database or rendering it in the browser, enabling the Stored XSS component of the attack.
Attack Vector
The attack is conducted over the network and requires user interaction. An attacker must convince an authenticated WordPress administrator to visit a malicious webpage while logged into their WordPress site. The malicious page hosts a hidden form that automatically submits a crafted request to the vulnerable plugin endpoint, injecting malicious JavaScript code that persists in the WordPress database.
The attack does not require the attacker to have any privileges on the target WordPress installation. Once the XSS payload is stored, it will execute in the context of any user who views the affected content, potentially including other administrators or site visitors.
Detection Methods for CVE-2025-30621
Indicators of Compromise
- Unexpected or suspicious entries in the Translator plugin's database tables containing JavaScript or HTML tags
- Unusual outbound requests from the WordPress server to unknown external domains
- Reports of browser security warnings or unexpected behavior from site administrators
- Presence of encoded script tags or event handlers in plugin configuration or translation data
Detection Strategies
- Monitor WordPress audit logs for configuration changes to the Translator plugin that occur without corresponding admin session activity
- Implement Web Application Firewall (WAF) rules to detect CSRF attacks targeting WordPress plugin endpoints
- Review database entries associated with the Translator plugin for malicious script patterns
- Deploy Content Security Policy (CSP) headers to detect and block inline script execution attempts
Monitoring Recommendations
- Enable comprehensive WordPress activity logging to track all plugin configuration changes
- Configure browser-based XSS detection alerts through security headers
- Implement real-time monitoring for suspicious JavaScript execution patterns on WordPress pages
- Set up alerts for unusual cross-origin requests originating from the WordPress admin panel
How to Mitigate CVE-2025-30621
Immediate Actions Required
- Deactivate and remove the kornelly Translator plugin version 0.3 or earlier from all WordPress installations immediately
- Review WordPress database for any malicious content that may have been injected through this vulnerability
- Audit WordPress user sessions and force password resets for all administrator accounts if compromise is suspected
- Consider implementing a Web Application Firewall (WAF) with CSRF and XSS protection rules
Patch Information
As of the published advisory, the vulnerability affects Translator plugin versions through 0.3. Site administrators should check the WordPress plugin repository or the Patchstack WordPress Vulnerability Advisory for information about patched versions. If no patch is available, the plugin should be replaced with a secure alternative.
Workarounds
- Remove the Translator plugin entirely until a patched version becomes available
- Implement a WAF rule to block suspicious POST requests targeting the Translator plugin endpoints
- Add Content Security Policy headers to prevent inline script execution as a defense-in-depth measure
- Restrict WordPress admin panel access to trusted IP addresses to reduce the attack surface
# WordPress wp-config.php hardening - restrict admin access
# Add to .htaccess to limit admin panel access
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
