CVE-2025-30579 identifies a reflected Cross-site Scripting (XSS) vulnerability in the Jakeii Pesapal Gateway plugin for WooCommerce, a payment gateway integration used in WordPress e-commerce sites. The vulnerability stems from improper neutralization of input during web page generation, meaning that user-supplied data is not correctly sanitized or encoded before being included in web pages. This flaw allows attackers to craft malicious URLs or input that, when visited or processed by a victim's browser, execute arbitrary JavaScript code. Such reflected XSS attacks typically require the victim to click on a malicious link or visit a specially crafted page. The plugin versions affected are all up to and including 2.1.0, with no patch links currently published. The vulnerability was reserved on March 24, 2025, and published on April 1, 2025. No CVSS score is assigned yet, and no known exploits have been reported in the wild. The vulnerability impacts the confidentiality and integrity of user sessions and data by enabling theft of cookies, credentials, or performing unauthorized actions within the victim's session context. WooCommerce is a widely used e-commerce platform, and the Pesapal Gateway plugin facilitates payment processing, making this vulnerability particularly concerning for online merchants relying on this payment method. The lack of authentication requirement and the ease of exploitation through social engineering increase the threat level. The vulnerability is categorized under improper input neutralization during web page generation, a common web security weakness.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions on e-commerce websites using the affected Pesapal Gateway plugin. Attackers exploiting this reflected XSS flaw can execute arbitrary scripts in the context of a victim's browser, potentially stealing session cookies, login credentials, or other sensitive information. This can lead to account takeover, fraudulent transactions, or unauthorized actions performed on behalf of legitimate users. The availability impact is generally low for XSS but could be leveraged in combination with other attacks to disrupt service or deface websites. Organizations worldwide running WooCommerce stores with the Pesapal Gateway plugin are at risk, especially those processing sensitive payment information. The vulnerability could undermine customer trust and lead to financial losses, regulatory penalties, and reputational damage. Since no authentication is required and exploitation relies on social engineering, the attack surface is broad, affecting any visitor or user interacting with the vulnerable site. The lack of a patch at the time of disclosure increases exposure duration. Overall, the threat poses a significant risk to e-commerce operations and user security.

Organizations should immediately monitor for updates or patches released by Jakeii for the Pesapal Gateway plugin and apply them as soon as they become available. Until a patch is released, implement strict input validation and output encoding on all user-supplied data within the plugin's codebase to neutralize malicious scripts. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block reflected XSS payloads targeting the Pesapal Gateway endpoints. Educate users and staff about the risks of clicking on suspicious links and encourage the use of security-aware browsing practices. Conduct regular security assessments and penetration tests focusing on e-commerce payment plugins to identify similar vulnerabilities. Consider temporarily disabling or replacing the Pesapal Gateway plugin with alternative payment gateways if patching is delayed and risk is unacceptable. Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. Maintain comprehensive logging and monitoring to detect potential exploitation attempts. Finally, ensure that all WooCommerce and WordPress installations are kept up to date to reduce the overall attack surface.