The CVE-2025-30995 vulnerability is a Cross‑Site Request Forgery that allows an attacker to embed a malicious payload that is stored by the affected WordPress plugin. Once the payload is stored, it will be served in future pages, leading to execution of arbitrary JavaScript in the context of the site and the possible theft of sensitive data, session hijacking, or defacement. This stored XSS is a direct result of insufficient CSRF protection and lack of proper input sanitization.

The documented vulnerability affects the WordPress plugin OTWthemes Widgetize Pages Light. All releases from the earliest version (no explicit lower bound listed) through 3.0 are considered vulnerable. Therefore any site running this plugin at or below version 3.0 is at risk.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog, implying that no known widespread exploitation has been reported. The likely attack vector is a CSRF request that injects a stored script via unauthenticated or low‑privilege end users, potentially requiring that the site’s legitimate users interact with a crafted URL or form.