CVE-2025-30995: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in OTWthemes Widgetize Pages Light WordPress plugin, tracked as CVE-2025-30995. The vulnerability affects versions through 3.0 of the plugin and allows attackers to perform Stored XSS attacks. This security issue was discovered by Nguyen Tran Tuan Dung (domiee13) and was publicly disclosed on June 5, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The security flaw is classified under the OWASP Top 10 category A1: Broken Access Control. The vulnerability can be exploited without authentication, making it particularly concerning (NVD, Patchstack).

This vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The combination of CSRF with Stored XSS capabilities increases the potential impact, as it could lead to persistent attacks against authenticated users (Patchstack).

Currently, there is no official fix available for this vulnerability. Since the software appears to be abandoned (last updated over a year ago), the recommended mitigation strategy is to remove and replace the plugin with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch (vPatch) is deployed (Patchstack).