CVE-2025-30532: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in MorganF Weather Layer WordPress plugin, identified as CVE-2025-30532. The vulnerability affects Weather Layer versions up to and including 4.2.1, and was publicly disclosed on March 24, 2025. The issue stems from improper neutralization of input during web page generation (NVD, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator-level privileges to exploit (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

As of April 2, 2025, no official fix has been released for this vulnerability. Given the low severity impact, virtual patching has been deemed unnecessary (Patchstack).

The vulnerability was initially discovered and reported by Nabil Irawan from Heroes Cyber Security on March 4, 2025, and was subsequently published by Patchstack on March 24, 2025 (Patchstack).