CVE-2025-30804 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the wpShopGermany IT-RECHT KANZLEI WordPress plugin developed by maennchen1.de, affecting versions up to and including 2.0. CSRF vulnerabilities occur when a web application does not properly verify that requests made to it originate from legitimate users, allowing attackers to craft malicious web pages that cause authenticated users to unknowingly perform actions such as changing settings or submitting forms. This plugin, which provides legal compliance features for German e-commerce shops, fails to implement adequate anti-CSRF protections, such as nonce tokens or referer validation, enabling attackers to exploit this flaw. The vulnerability requires the victim to be authenticated on the target site but does not require additional user interaction beyond visiting a malicious page. No CVSS score has been assigned yet, and no public exploits are known. The vulnerability affects the integrity of the affected sites by allowing unauthorized state-changing requests, potentially leading to unauthorized changes in shop settings or legal compliance configurations. The plugin’s user base is primarily in German-speaking countries, but WordPress’s global reach means other regions may also be impacted. The lack of patches or official fixes at the time of publication increases the urgency for mitigation.

The primary impact of this CSRF vulnerability is on the integrity of affected WordPress sites using the wpShopGermany IT-RECHT KANZLEI plugin. Attackers can induce authenticated users to perform unintended actions, potentially altering shop configurations, legal compliance settings, or other critical parameters without authorization. This can lead to misconfiguration, legal non-compliance, or disruption of e-commerce operations. While confidentiality and availability impacts are limited, the integrity compromise can have downstream effects such as financial loss, reputational damage, and regulatory penalties, especially for businesses operating under strict e-commerce and data protection laws. The ease of exploitation—requiring only that the victim be logged in and visit a malicious site—makes this a significant risk. Organizations worldwide using this plugin or similar WordPress setups are vulnerable until mitigations are applied.

1. Monitor for official patches or updates from maennchen1.de and apply them immediately once available. 2. Implement web application firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the plugin’s endpoints. 3. Enforce strict user session management and consider limiting administrative access to trusted networks or VPNs. 4. Add or verify the presence of anti-CSRF tokens (nonces) in all state-changing requests within the plugin’s codebase if custom modifications are possible. 5. Educate users and administrators to avoid clicking on untrusted links while authenticated on the affected sites. 6. Conduct regular security audits and penetration testing focusing on CSRF and other web vulnerabilities. 7. Use Content Security Policy (CSP) headers to restrict the domains from which scripts and forms can be loaded, reducing the risk of CSRF payload delivery. 8. Consider disabling or replacing the plugin if timely patches are unavailable and the risk is unacceptable.