CVE-2025-30900 is a stored Cross-site Scripting (XSS) vulnerability identified in the Zoho Subscriptions product, specifically within the Zoho Billing – Embed Payment Form component. This vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. The flaw allows an attacker with limited privileges (PR:L) and requiring user interaction (UI:R) to inject malicious scripts that are stored and later executed in the context of users accessing the affected payment form. The vulnerability affects all versions of Zoho Billing – Embed Payment Form up to version 4.0. The CVSS 3.1 base score is 6.5, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), and scope changed (S:C). The impact includes partial confidentiality, integrity, and availability loss, as the injected scripts can steal session tokens, manipulate page content, or perform actions on behalf of the user. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is particularly concerning because payment forms handle sensitive financial data, and exploitation could lead to fraud or data leakage. The requirement for user interaction means that successful exploitation depends on tricking users into triggering the malicious payload, typically via social engineering or phishing techniques.

For European organizations using Zoho Subscriptions and its Embed Payment Form, this vulnerability poses a risk to both customer data confidentiality and transaction integrity. Exploitation could lead to theft of payment information, unauthorized transactions, and reputational damage. Given the GDPR regulatory environment in Europe, any data breach involving payment or personal data could result in significant legal and financial penalties. Additionally, the stored XSS could be leveraged to conduct further attacks within the organization’s environment, such as session hijacking or spreading malware. The impact extends beyond direct financial loss to include erosion of customer trust and potential disruption of billing operations. Organizations in sectors with high transaction volumes or those handling sensitive customer financial data are at greater risk.

Organizations should prioritize the following specific mitigation steps: 1) Immediately review and apply any patches or updates released by Zoho for the Embed Payment Form component. 2) Implement strict input validation and output encoding on all user-supplied data within the payment form to prevent script injection. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the payment form context. 4) Conduct regular security testing, including automated scanning and manual penetration testing focused on XSS vulnerabilities in payment-related components. 5) Educate users and administrators about phishing and social engineering risks to reduce the likelihood of successful user interaction exploitation. 6) Monitor logs and user activity for unusual behavior that could indicate exploitation attempts. 7) Consider isolating the payment form in a sandboxed iframe or separate domain to limit the impact of potential XSS attacks.