CVE-2025-30900: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Zoho Subscriptions Zoho Billing – Embed Payment Form through version 4.0. The vulnerability was discovered on March 27, 2025, and was assigned identifier CVE-2025-30900. This security issue affects the Zoho Billing – Embed Payment Form plugin, specifically versions up to and including 4.0 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue. It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is associated with CWE-79, which relates to improper neutralization of input during web page generation (NVD).

This vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The stored XSS nature of the vulnerability means that the malicious payload persists in the application's database and is executed whenever the compromised page is accessed by users (Patchstack).

Users are advised to update to version 4.1 or later of the Zoho Billing – Embed Payment Form plugin to remediate this vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).