CVE-2025-30565: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WordPress banner-manager plugin that allows for Stored Cross-Site Scripting (XSS). The vulnerability affects banner-manager plugin versions through 16.04.19. The issue was reported by security researcher Nguyen Xuan Chien on March 13, 2025, and was publicly disclosed on March 24, 2025. The vulnerability has been assigned identifier CVE-2025-30565 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue has been classified under CWE-352 (Cross-Site Request Forgery). The vulnerability requires no authentication to exploit, though it does require user interaction (NVD, Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The CSRF vulnerability, combined with the stored XSS capability, could potentially lead to compromised user sessions and unauthorized actions on the affected WordPress installations (Patchstack).

Currently, there is no official fix available for this vulnerability. The latest affected version is 16.04.19, and no patched version has been released at the time of disclosure (Patchstack).