CVE-2025-30994: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in CubeWP – All-in-One Dynamic Content Framework affecting versions through 1.1.23. The vulnerability was disclosed on June 5, 2025, and was assigned CVE-2025-30994. This security issue affects the WordPress plugin CubeWP Framework and allows potential Cross Site Request Forgery attacks (Patchstack Database).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The security issue is classified as CWE-352: Cross-Site Request Forgery (CSRF). The vulnerability allows Cross Site Request Forgery attacks that could enable malicious actors to force privileged users to execute unwanted actions under their current authentication (Patchstack Database).

The vulnerability has been assessed as having a low severity impact. If exploited, it could allow attackers to force higher privileged users to execute unwanted actions while authenticated. The vulnerability specifically affects the settings change functionality of the plugin (Patchstack Database).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects versions up to and including 1.1.23 of the CubeWP Framework plugin (Patchstack Database).