CVE-2025-30918: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in codemacher Structured Content plugin versions through 1.6.3. The vulnerability was discovered on December 30, 2024, and publicly disclosed on March 27, 2025. This security issue affects WordPress installations using the Structured Content plugin (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically of the stored variety, which falls under the OWASP Top 10 category A3: Injection. It has been assigned a CVSS v3.1 score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires Contributor-level privileges or higher to exploit (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when visitors access the affected site (Patchstack).

The vulnerability has been patched in version 1.6.4 of the Structured Content plugin. Site administrators are advised to update to version 1.6.4 or later to remediate this security issue. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).