CVE-2025-30893: 
WordPress vulnerability analysis and mitigation

LeadConnector plugin version 3.0.2 and earlier contains a DOM-Based Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-30893. The vulnerability was discovered by Peter Thaleikis and publicly disclosed on March 27, 2025. This security issue affects the LeadConnector WordPress plugin through version 3.0.2 (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue, specifically a DOM-Based XSS vulnerability. It has been assigned a CVSS v3.1 score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (Patchstack).

This vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The impact affects the confidentiality, integrity, and availability of the affected system, though each with limited scope (Patchstack).

The vulnerability has been patched in version 3.0.3 of the LeadConnector plugin. Users are advised to update to version 3.0.3 or later to remove the vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).