CVE-2025-30808 is a reflected Cross-site Scripting (XSS) vulnerability identified in the About Author plugin developed by Weblizar for WordPress. The flaw stems from improper neutralization of input during the generation of web pages, specifically in the handling of user-supplied data that is reflected back in the web page without adequate sanitization or encoding. This allows attackers to craft malicious URLs or input that, when visited or processed by a victim's browser, execute arbitrary JavaScript code. Such reflected XSS attacks do not require prior authentication and rely on social engineering techniques to lure users into clicking malicious links. The affected versions include all releases up to and including 1.6.2. Although no public exploits have been reported yet, the vulnerability poses a significant risk due to the widespread use of WordPress and the popularity of the About Author plugin. The attack vector can lead to session hijacking, theft of cookies or credentials, redirection to malicious sites, or defacement of the affected website. The vulnerability was reserved on March 26, 2025, and published on April 1, 2025, but no CVSS score has been assigned. The lack of patch links suggests that a fix may still be pending or in development. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in widely deployed CMS plugins.

The impact of CVE-2025-30808 can be significant for organizations running WordPress sites with the vulnerable About Author plugin. Successful exploitation can compromise the confidentiality and integrity of user sessions by enabling attackers to steal cookies, session tokens, or other sensitive information. This can lead to unauthorized access to user accounts, including administrative accounts, potentially resulting in site defacement, data theft, or further malware distribution. The availability of the site could also be indirectly affected if attackers use the vulnerability to inject disruptive scripts. Given WordPress's extensive global usage, the scope of affected systems is broad, especially among small to medium-sized businesses and personal websites that may not have rigorous security controls. The ease of exploitation, requiring only user interaction with a crafted link, increases the risk. Although no authentication is required, the attack depends on social engineering to trick users. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a critical risk until patched.

To mitigate CVE-2025-30808, organizations should prioritize updating the About Author plugin to a patched version as soon as it becomes available from Weblizar. Until an official patch is released, site administrators can implement manual input validation and output encoding to neutralize potentially malicious input reflected in web pages. Employing a Web Application Firewall (WAF) with rules to detect and block reflected XSS payloads can provide an additional layer of defense. Website owners should also educate users and administrators about the risks of clicking untrusted links and encourage the use of security headers such as Content Security Policy (CSP) to restrict script execution sources. Regular security audits and vulnerability scanning of WordPress plugins can help identify similar issues proactively. Disabling or removing unused plugins reduces the attack surface. Monitoring web traffic for unusual patterns and implementing multi-factor authentication (MFA) can help mitigate the impact of compromised credentials resulting from XSS attacks.