CVE-2025-30614 describes a reflected Cross-site Scripting vulnerability in the Haozhe Xie Google Font Fix plugin (versions ≤ 2.3.1). The issue is caused by improper neutralization of input during web page generation, which can lead to execution of arbitrary scripts in the context of the victim's browser. The vulnerability has a CVSS 3.1 base score of 7.1, with an attack vector over the network, low attack complexity, no privileges required, user interaction needed, and impacts confidentiality, integrity, and availability. No patch or official vendor advisory is provided in the available data.

Successful exploitation of this vulnerability can allow an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to information disclosure, session hijacking, or other impacts on confidentiality, integrity, and availability as indicated by the CVSS vector. Since it is a reflected XSS, exploitation requires user interaction (e.g., clicking a crafted link). No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the affected Google Font Fix plugin to mitigate risk. Additionally, applying web application firewall (WAF) rules that detect and block reflected XSS payloads may provide temporary protection.