CVE-2025-30783

Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in jgwhite33's WP Google Review Slider plugin (wp-google-places-review-slider) versions from n/a through 16.0 [1]. The CSRF flaw allows an attacker to trick an authenticated administrator into performing unintended actions, which can be leveraged to inject malicious SQL queries [1]. No specific form or handler is named, but the CSRF token validation is missing on a privileged endpoint used for SQL operations [1].

Exploitation

The attacker must craft a malicious link or HTML page that triggers a state-changing request to the vulnerable WordPress admin page while the target administrator is logged in [1]. The attack does not require authentication as a user role because it relies on session riding—the victim's browser sends the attacker's forged request along with the victim's session cookies [1]. If the targeted endpoint directly processes database writes without CSRF protection, SQL injection can be executed by embedding a payload in a parameter value [1].

Impact

A successful attack leads to SQL Injection, enabling the attacker to read, modify, or delete data in the WordPress database [1]. This could result in full site compromise, including extraction of user credentials, creation of rogue admin accounts, or defacement of pages [1]. The integrity and confidentiality of all stored content are at risk.

Mitigation

The plugin has been updated to version 16.1 or later to fix the CSRF vulnerability; users should upgrade immediately [1]. As of 2025-12-03, version 17.7 is available and listed as requiring WordPress >= 3.0.1 [1]. There is no workaround beyond updating the plugin. This CVE is not on the CISA KEV list.