The vulnerability identified as CVE-2025-30550 affects the WPShop.ru CallPhone'r plugin for WordPress, specifically versions up to and including 1.1.1. It is a Cross-Site Request Forgery (CSRF) vulnerability that enables an attacker to perform unauthorized actions on behalf of an authenticated user. The exploitation of this CSRF flaw leads to Stored Cross-Site Scripting (XSS), where malicious scripts are injected and persist within the application, executing whenever the affected content is viewed by users. This combination of CSRF and stored XSS is particularly dangerous because it allows attackers to bypass normal authentication and authorization controls, potentially compromising user sessions, stealing sensitive information, or performing actions with elevated privileges. The vulnerability does not require user interaction beyond visiting a crafted malicious webpage, making it easier to exploit. Although no public exploits are currently known, the presence of stored XSS increases the risk of widespread impact once exploitation techniques become available. The plugin is used primarily in WordPress environments, which are widely deployed globally, especially in e-commerce and business websites. The lack of an official patch at the time of publication means that affected organizations remain exposed until updates or mitigations are applied. The vulnerability was published on March 24, 2025, and assigned by Patchstack, but no CVSS score has been provided.

The impact of CVE-2025-30550 is significant for organizations using the WPShop.ru CallPhone'r plugin on their WordPress sites. Successful exploitation can lead to stored XSS attacks, which compromise the confidentiality and integrity of user data by allowing attackers to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, credential theft, unauthorized actions, and potential malware distribution. The CSRF aspect means attackers can trick authenticated users into executing unwanted actions without their consent, potentially modifying site content or settings. For e-commerce sites or those handling sensitive customer information, this can lead to data breaches, reputational damage, and financial loss. The vulnerability affects the availability indirectly if attackers leverage the XSS to disrupt user sessions or site functionality. Since WordPress powers a large portion of the web, the scope of affected systems is broad, especially for sites using this specific plugin. The ease of exploitation, requiring only a victim to visit a malicious page, increases the risk of widespread attacks once exploit code is developed.

Organizations should immediately monitor for any unusual or unauthorized actions within their WordPress environments using the CallPhone'r plugin. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate exposure. Implementing Web Application Firewall (WAF) rules that detect and block CSRF attempts and suspicious input patterns related to XSS can provide interim protection. Enforce strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Review and harden user permissions to minimize the number of users with administrative privileges who could be targeted. Educate users about the risks of visiting untrusted websites while logged into administrative accounts. Once a patch is available, apply it promptly and verify that CSRF tokens and input sanitization are properly implemented. Regularly audit plugins for security updates and consider alternative plugins with better security track records if timely patches are not forthcoming.