CVE-2025-30600: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the WP Hotjar WordPress plugin, tracked as CVE-2025-30600. The vulnerability affects versions through 0.0.3 of the plugin, discovered and disclosed on March 24, 2025. This security issue impacts the thiagogsrwp WP Hotjar plugin, which allows for stored XSS attacks (Patchstack, NVD).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation. It has received a CVSS v3.1 score of 5.9 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator privileges to exploit and user interaction for successful execution (Patchstack).

If exploited, this vulnerability could allow an attacker to inject malicious scripts into the website. These scripts could be used to redirect users, inject unwanted advertisements, or execute other HTML payloads that would be triggered when visitors access the affected site (Patchstack).

Currently, there is no official fix available for this vulnerability. Given the security issue's low severity impact and unlikely exploitation scenario, it is considered a low-priority concern (Patchstack).