CVE-2025-30908 Overview
CVE-2025-30908 is a Cross-Site Request Forgery (CSRF) vulnerability in the Shamalli Web Directory Free WordPress plugin that enables attackers to perform Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects all versions of the Web Directory Free plugin through version 1.7.6. This chained attack allows unauthenticated attackers to trick authenticated administrators into unknowingly submitting malicious requests that inject persistent JavaScript code into the WordPress site.
Critical Impact
Attackers can leverage this CSRF-to-XSS chain to execute arbitrary JavaScript in the context of site visitors and administrators, potentially leading to session hijacking, credential theft, website defacement, and malware distribution.
Affected Products
- Shamalli Web Directory Free plugin for WordPress versions up to and including 1.7.6
- WordPress installations running vulnerable versions of the web-directory-free plugin
Discovery Timeline
- 2025-04-03 - CVE-2025-30908 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-30908
Vulnerability Analysis
This vulnerability represents a dangerous combination of two distinct web security flaws working in tandem. The Web Directory Free plugin fails to implement proper CSRF protection on critical form handling endpoints, allowing attackers to craft malicious requests that are executed when an authenticated administrator visits an attacker-controlled page. Combined with insufficient input sanitization, this allows attackers to inject persistent malicious scripts that execute whenever the affected page is rendered.
The attack requires user interaction, specifically convincing an authenticated WordPress administrator to visit a malicious page while logged into the target WordPress installation. However, once the CSRF attack succeeds, the stored XSS payload persists in the database and affects all subsequent visitors to the compromised pages.
Root Cause
The root cause of this vulnerability is twofold:
Missing CSRF Token Validation (CWE-352): The plugin does not validate nonce tokens on state-changing requests, allowing forged requests from external origins to be processed as legitimate administrator actions.
Insufficient Output Encoding: User-supplied input is stored in the database and rendered back to users without proper HTML entity encoding or sanitization, enabling script injection.
Attack Vector
The attack is network-based and requires the following conditions:
- An attacker creates a malicious webpage containing a hidden form that targets the vulnerable plugin endpoint
- The form contains XSS payload data in the appropriate input fields
- When an authenticated WordPress administrator visits the attacker's page, the form auto-submits via JavaScript
- The vulnerable plugin processes the forged request and stores the malicious script
- The stored XSS payload executes whenever any user (including other administrators) views the affected content
The vulnerability exploits the trust relationship between the WordPress plugin and authenticated sessions, bypassing the browser's same-origin policy through the CSRF mechanism.
Detection Methods for CVE-2025-30908
Indicators of Compromise
- Unexpected or suspicious entries in the Web Directory Free plugin database tables containing JavaScript or HTML tags
- Web server logs showing POST requests to plugin endpoints from external referrers
- Browser console errors or unexpected script execution on directory listing pages
- User reports of unusual popups, redirects, or behavior when viewing directory content
Detection Strategies
- Review WordPress audit logs for administrative actions performed on the Web Directory Free plugin without corresponding user session activity
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor for suspicious form submissions to /wp-admin/ endpoints from external referrers
- Scan database content for common XSS patterns such as <script>, javascript:, and event handlers like onerror
Monitoring Recommendations
- Enable WordPress security logging plugins to track all plugin-related administrative actions
- Configure Web Application Firewall (WAF) rules to detect CSRF attack patterns
- Implement real-time monitoring for database modifications to plugin tables
- Set up alerts for failed CSP violations that may indicate XSS injection attempts
How to Mitigate CVE-2025-30908
Immediate Actions Required
- Audit existing Web Directory Free entries for signs of injected malicious content
- Review WordPress user accounts for any unauthorized administrative accounts that may have been created
- Consider temporarily disabling the Web Directory Free plugin until a patched version is available
- Implement a Web Application Firewall (WAF) with CSRF and XSS protection rules
Patch Information
At the time of publication, administrators should check for updates to the Web Directory Free plugin and apply any security patches released by Shamalli. Monitor the Patchstack Vulnerability Report for updates on remediation status.
Ensure WordPress core, all plugins, and themes are updated to their latest versions. Subscribe to security advisories from the plugin vendor and WordPress security sources.
Workarounds
- Implement server-side CSRF protection at the web server level using ModSecurity or similar WAF rules
- Add Content Security Policy headers to restrict inline script execution: Content-Security-Policy: script-src 'self'
- Restrict access to WordPress admin dashboard by IP address where feasible
- Consider replacing the vulnerable plugin with an alternative directory solution that has been security audited
# Add Content Security Policy header in Apache .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
# Or in Nginx server block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
