CVE-2025-30539: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress BMo Expo plugin, identified as CVE-2025-30539. The vulnerability affects versions through 1.0.15 of the BMo Expo plugin developed by Benedikt Mo. The issue was initially reported by Nabil Irawan on March 3, 2025, and was publicly disclosed by Patchstack on March 24, 2025 (Patchstack Database).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It received a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator-level privileges to exploit (NVD, Patchstack Database).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack Database).

Currently, no official fix is available for this vulnerability. The security issue has been classified as low priority, and virtual patching has been deemed unnecessary (Patchstack Database).