CVE-2025-30615 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WP e-Commerce Style Email plugin, versions up to 0.6.2, developed by Jacob Schwartz. CSRF vulnerabilities occur when a web application does not adequately verify that requests originate from legitimate users, allowing attackers to trick authenticated users into submitting malicious requests unknowingly. In this case, the vulnerability enables code injection, meaning an attacker can inject and execute arbitrary code on the affected WordPress site by exploiting the victim's authenticated session. The plugin fails to implement proper anti-CSRF tokens or other request validation mechanisms, making it susceptible to such attacks. This can lead to unauthorized changes in email styles or potentially more severe consequences depending on the injected code's nature. The vulnerability affects all installations using the vulnerable plugin versions, regardless of additional user interaction beyond the victim being logged in. No patches or fixes have been officially released yet, and no known exploits have been reported in the wild. However, the risk remains significant due to the nature of the vulnerability and the widespread use of WordPress and e-commerce plugins. The lack of a CVSS score requires an expert severity assessment based on the vulnerability's characteristics.

The exploitation of this CSRF vulnerability can have severe consequences for organizations running WordPress sites with the WP e-Commerce Style Email plugin. Attackers can inject malicious code, potentially leading to unauthorized access, data leakage, defacement, or further compromise of the web server. This can undermine the confidentiality and integrity of customer data and transactional information, damaging organizational reputation and customer trust. Additionally, injected code could be used to pivot attacks within the network or distribute malware to site visitors. The availability of the affected service could also be disrupted if the injected code causes operational failures or triggers security mechanisms. Since the vulnerability requires the victim to be authenticated, attackers may target users with administrative or editorial privileges to maximize impact. The absence of known exploits in the wild suggests a window for proactive mitigation, but organizations should act promptly to reduce risk.

To mitigate this vulnerability, organizations should first verify if they are using the WP e-Commerce Style Email plugin version 0.6.2 or earlier and plan to upgrade to a patched version once available. Until a patch is released, administrators should consider disabling or removing the plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the plugin's endpoints can provide temporary protection. Additionally, enforcing strict user role management and limiting administrative access reduces the risk of exploitation. Site owners should ensure that all users log out after sessions and avoid using the plugin on high-privilege accounts. Monitoring logs for unusual POST requests or changes in email styling can help detect potential exploitation attempts. Finally, educating users about CSRF risks and encouraging the use of multi-factor authentication can further reduce the likelihood of successful attacks.