CVE-2025-30799 identifies a stored cross-site scripting (XSS) vulnerability in the WP Google Street View plugin developed by Pagup, affecting all versions up to 1.1.5. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious JavaScript code that is stored persistently on the affected WordPress site. When other users visit the compromised pages, the injected scripts execute in their browsers within the context of the vulnerable site, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. This type of stored XSS is particularly dangerous because the malicious payload remains on the server and affects all visitors to the infected page. The vulnerability does not require authentication or user interaction beyond visiting the affected page, increasing its risk profile. Although no public exploits have been reported yet, the widespread use of WordPress and the popularity of plugins like WP Google Street View make this a significant threat. The absence of a CVSS score indicates the need for an expert severity assessment, which here is considered high due to the impact and ease of exploitation. The vulnerability was publicly disclosed on March 27, 2025, by Patchstack, but no official patches or mitigations have been linked yet, emphasizing the importance of immediate defensive actions.

The impact of CVE-2025-30799 on organizations worldwide can be substantial, especially for those relying on WordPress sites with the WP Google Street View plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the vulnerable site, potentially leading to session hijacking, credential theft, defacement, unauthorized actions, or distribution of malware to site visitors. This can damage organizational reputation, lead to data breaches, and cause loss of customer trust. E-commerce sites, corporate portals, and any web presence with sensitive user interactions are particularly vulnerable. The persistent nature of stored XSS means the malicious code remains active until removed, increasing the window of exposure. Additionally, attackers can leverage this vulnerability as a foothold for further attacks within the network or to spread phishing campaigns. Given the plugin’s integration with Google Street View, attackers might also manipulate location-based content to mislead users or conduct social engineering attacks. The lack of authentication requirements and user interaction makes this vulnerability easier to exploit at scale, increasing the risk of widespread compromise.

To mitigate CVE-2025-30799, organizations should immediately audit their WordPress installations for the presence of the WP Google Street View plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. If removal is not feasible, implement strict input validation and output encoding on all data handled by the plugin to neutralize malicious scripts. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this plugin. Regularly monitor website content for unauthorized script injections and conduct security scans to identify potential compromises. Educate site administrators and content editors about the risks of stored XSS and safe content management practices. Once a patch becomes available, prioritize its deployment in all affected environments. Additionally, enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any successful injection. Maintain regular backups to enable quick restoration if defacement or data loss occurs.