CVE-2025-30840: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress xili-dictionary plugin, identified as CVE-2025-30840. The vulnerability affects versions through 2.12.5 of the xili-dictionary plugin developed by Michel - xiligroup dev. The issue was initially reported on February 14, 2025, and was publicly disclosed on March 27, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires no authentication to exploit and features a network attack vector with low attack complexity (Patchstack).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts would be executed when visitors access the compromised site (Patchstack).

The vulnerability has been fixed in version 2.12.5.1 of the xili-dictionary plugin. Users are advised to update to version 2.12.5.1 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version (Patchstack).