WordPress Plugin Vulnerabilities

CubeWP <= 1.1.29 - Cross-Site Request Forgery

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update plugin settings granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
cubewp-framework
No known fix

References

CVE
CVE-2025-30994
URL
https://patchstack.com/database/wordpress/plugin/cubewp-framework/vulnerability/wordpress-cubewp-all-in-one-dynamic-content-framework-plugin-1-1-23-cross-site-request-forgery-csrf-to-settings-change-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
domiee13
Verified
No
WPVDB ID
df80bbc0-6f2f-4740-8bcc-e8161b50d5df

Timeline

Publicly Published
2025-06-05 (about 11 months ago)
Added
2025-06-11 (about 11 months ago)
Last Updated
2026-01-14 (about 3 months ago)

Other

Published
Title
Published
2025-12-31
Title
EasyIndex <= 1.1.1704 - Cross-Site Request Forgery
Published
2022-09-22
Title
3D Tag Cloud <= 3.8 - Stored XSS via CSRF
Published
2024-02-27
Title
Envo's Elementor Templates & Widgets for WooCommerce < 1.4.5 - Arbitrary Theme Activation via CSRF
Published
2025-04-25
Title
wp-cyr-cho <= 0.1 - Cross-Site Request Forgery
Published
2025-05-07
Title
Beacon Lead Magnets and Lead Capture < 1.5.9 - Cross-Site Request Forgery