CVE-2025-30798 is a Reflected Cross-site Scripting (XSS) vulnerability identified in the Better WishList API by rickonline_nl, affecting versions up to 1.1.4. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and executed in the context of the victim's browser. Reflected XSS typically occurs when input from HTTP requests is immediately included in responses without proper sanitization or encoding. This can enable attackers to craft malicious URLs that, when visited by unsuspecting users, execute arbitrary JavaScript code. Such scripts can steal session cookies, perform actions on behalf of the user, or redirect victims to phishing sites. The vulnerability does not require authentication, increasing its risk profile, but does require user interaction to trigger the malicious payload. No CVSS score has been assigned yet, and no known exploits are reported in the wild as of the publication date. The Better WishList API is likely used in e-commerce or wishlist management systems, which may be embedded in various websites, increasing the potential attack surface. The lack of patches or official fixes at the time of reporting means organizations must implement interim mitigations to reduce risk. The vulnerability highlights the importance of proper input validation, output encoding, and secure coding practices in API development to prevent injection attacks.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity through the execution of malicious scripts in users' browsers. Attackers can steal session tokens, hijack user accounts, manipulate displayed content, or redirect users to malicious sites, leading to phishing or malware distribution. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory penalties if user data is compromised. The availability of the affected API may not be directly impacted, but indirect effects such as increased support costs and remediation efforts can occur. Since the vulnerability is reflected XSS, it requires user interaction, which may limit mass exploitation but still poses a significant risk especially in targeted attacks or phishing campaigns. The lack of authentication requirement broadens the attacker’s ability to target any user of the affected system. Organizations relying on the Better WishList API in their web applications are at risk of these impacts until the vulnerability is remediated.

Organizations should immediately review their use of the Better WishList API and implement strict input validation and output encoding on all user-supplied data to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web traffic for suspicious URL patterns that may indicate exploitation attempts. If possible, isolate or sandbox the affected API components to limit exposure. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. Until official patches are released, consider implementing Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting the API endpoints. Educate users about the risks of clicking on suspicious links and encourage safe browsing practices. Conduct thorough security testing, including penetration testing and code reviews, focusing on input handling in the affected API. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.