CVE-2025-30776: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in webvitaly Sitekit WordPress plugin, affecting versions up to 1.8. The vulnerability was disclosed on March 27, 2025, and assigned identifier CVE-2025-30776. This security issue allows authenticated users with Contributor or higher privileges to perform stored XSS attacks (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It received a CVSS v3.1 Base Score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction to exploit (NVD).

The vulnerability allows attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts are executed when visitors access the affected pages, potentially compromising the security of both the website and its users (Patchstack).

The vulnerability has been patched in Sitekit version 1.9. Website administrators are advised to update to version 1.9 or later to remediate this security issue. The vulnerability is considered to have a low severity impact and is unlikely to be exploited, but updating is still recommended as a security best practice (Patchstack).