CVE-2025-30982: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the WordPress plugin MyBookProgress by Stormhill Media, tracked as CVE-2025-30982. The vulnerability affects versions through 1.0.8 and was discovered by security researcher Abdi Pranata. The initial disclosure was made on April 3, 2025, and the vulnerability was subsequently published in the National Vulnerability Database on April 15, 2025 (Patchstack, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires authenticated access with Subscriber-level privileges or higher to exploit (Patchstack).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site, potentially compromising user data and website integrity (Patchstack).

While no official fix was available at the time of disclosure, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately to protect their sites (Patchstack).