CVE-2025-30988: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in CreativeMedia Elite Video Player through version 10.0.5. The vulnerability was identified and disclosed on June 11, 2025, and has been assigned the identifier CVE-2025-30988. This security flaw affects WordPress installations using the Elite Video Player plugin (NVD, Wiz).

The vulnerability has been classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. This scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD, Patchstack).

The vulnerability enables malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into websites. When visitors access the affected site, these injected scripts are executed, potentially compromising the confidentiality, integrity, and availability of the affected system (Wiz, Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has released a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are strongly advised to implement this virtual patch immediately to protect their sites (Patchstack).