CVE-2025-30550 in CallPhoner Plugin
Summary
by MITRE • 03/24/2025
Cross-Site Request Forgery (CSRF) vulnerability in WPShop.ru CallPhone'r allows Stored XSS. This issue affects CallPhone'r: from n/a through 1.1.1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2025
This vulnerability represents a critical security flaw in the WPShop.ru CallPhone'r plugin that combines cross-site request forgery with stored cross-site scripting capabilities. The vulnerability exists within the plugin's handling of user input and request processing mechanisms, creating a dangerous attack vector that can persistently compromise user sessions and execute malicious code within the target environment. The issue spans all versions from the initial release through version 1.1.1, indicating a long-standing flaw that has remained unaddressed.
The technical implementation of this vulnerability stems from inadequate validation and sanitization of user-supplied data within the plugin's administrative interfaces and form processing components. When users interact with the plugin's functionality, particularly in areas where phone number or contact information is submitted, the system fails to properly implement anti-CSRF tokens or validate the authenticity of incoming requests. This allows attackers to craft malicious requests that appear legitimate to the WordPress administration system while simultaneously storing XSS payloads within the plugin's data handling mechanisms.
The operational impact of this vulnerability extends beyond simple session hijacking to include persistent malicious code execution within user browsers. Attackers can leverage the stored XSS component to inject malicious scripts that execute whenever affected users view the compromised plugin interface or related pages. This creates a persistent threat that can harvest session cookies, redirect users to malicious sites, or perform unauthorized actions on behalf of authenticated users. The combination of CSRF and stored XSS creates a particularly dangerous scenario where attackers can establish long-term access to compromised systems while maintaining their foothold through persistent payload storage.
Security professionals should note this vulnerability's alignment with CWE-352 for CSRF and CWE-79 for XSS, representing a classic case of multiple vulnerability types being combined to create enhanced attack capabilities. The ATT&CK framework categorizes this as a privilege escalation and persistence technique, where initial access through CSRF leads to sustained malicious activity through stored XSS. Organizations should immediately implement mitigations including updating to patched versions of the plugin, implementing proper CSRF token validation, and conducting thorough security reviews of all plugin components that handle user input. Network monitoring should be enhanced to detect suspicious request patterns and payload delivery attempts.
The vulnerability demonstrates the critical importance of proper input validation and request authentication in WordPress plugin development. Developers must ensure that all user-facing interfaces implement robust CSRF protection mechanisms while maintaining strict output sanitization to prevent XSS injection. Security audits should specifically target plugin components that handle form submissions, administrative functions, and user data processing to identify similar combinations of vulnerabilities that could enable persistent compromise of WordPress installations.