CVE-2025-22530 identifies a stored Cross-site Scripting (XSS) vulnerability in the PORTONE 아임포트 결제버튼 생성 플러그인 (iamport-payment) plugin, which is used to generate payment buttons. The vulnerability stems from improper neutralization of input during web page generation, meaning that user-supplied data is not adequately sanitized before being embedded in web pages. This flaw allows attackers to inject malicious JavaScript code that is stored persistently on the server and executed in the browsers of users who visit affected pages. Because the malicious script executes in the context of the vulnerable website, attackers can hijack user sessions, steal cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability affects all versions up to and including 1.1.19, with no patch currently linked. Exploitation does not require authentication, increasing the attack surface, but does require user interaction to trigger the payload. Although no known exploits have been reported in the wild, the nature of stored XSS vulnerabilities makes them particularly dangerous in environments handling sensitive data, such as payment processing. The plugin is primarily used in South Korea, where PORTONE services are prevalent, but may also be deployed in other regions with Korean businesses or e-commerce platforms integrating this payment solution. The absence of a CVSS score necessitates an expert severity assessment, which rates this vulnerability as high due to its impact on confidentiality and integrity, ease of exploitation, and broad potential scope.

The stored XSS vulnerability in the PORTONE iamport-payment plugin can have severe consequences for organizations worldwide that use this payment button solution. Attackers can exploit this flaw to execute arbitrary scripts in the browsers of users interacting with affected web pages, leading to session hijacking, theft of sensitive information such as payment credentials, and unauthorized transactions. This can result in financial losses, reputational damage, and regulatory penalties for organizations handling payment data. Additionally, attackers may use the vulnerability to deliver malware or conduct phishing attacks by injecting deceptive content. The vulnerability's presence in a payment-related plugin heightens the risk due to the sensitive nature of the data processed. Since exploitation does not require authentication, any visitor to a compromised site could be targeted, increasing the scope of potential victims. Organizations relying on this plugin without mitigation expose themselves to significant operational and security risks.

To mitigate CVE-2025-22530, organizations should immediately verify if they use the affected versions (up to 1.1.19) of the PORTONE iamport-payment plugin and plan to upgrade to a patched version once available. In the absence of an official patch, implement strict input validation and output encoding on all user-supplied data that is rendered in web pages to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Regularly audit and sanitize stored data inputs related to the payment button plugin. Monitor web server logs and application behavior for unusual activities indicative of exploitation attempts. Educate developers and administrators about secure coding practices and the risks of stored XSS in payment processing contexts. Finally, consider isolating the plugin's output or using sandboxing techniques to limit the scope of script execution within the application.