CVE-2025-30930 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability identified in the Unreal Themes product 'ACF: Yandex Maps Field'. This vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. Specifically, the flaw allows malicious actors to inject and store arbitrary JavaScript code within the Yandex Maps Field component of the Advanced Custom Fields (ACF) plugin, which is used to integrate Yandex Maps into websites. When a victim user accesses a page containing the malicious payload, the injected script executes in their browser context. The vulnerability affects versions up to 1.1, with no specific lower bound version identified. The CVSS v3.1 base score is 5.9, reflecting a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H) and user interaction (UI:R), with a scope change (S:C) and limited impact on confidentiality, integrity, and availability (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. Stored XSS vulnerabilities are particularly dangerous because they can lead to session hijacking, defacement, phishing, or distribution of malware by executing malicious scripts in the context of trusted websites. The requirement for high privileges and user interaction somewhat limits the ease of exploitation but does not eliminate risk, especially in environments where multiple users have elevated permissions and interact with the affected web pages.

For European organizations, the impact of this vulnerability can be significant, especially for those using Unreal Themes' ACF: Yandex Maps Field in their web infrastructure. Stored XSS can compromise user accounts, steal sensitive data, and facilitate further attacks such as privilege escalation or lateral movement within networks. Organizations in sectors like e-commerce, government, education, and media that rely on dynamic web content and map integrations are at higher risk. The vulnerability could undermine user trust and lead to regulatory repercussions under GDPR if personal data is exposed or mishandled due to the exploit. Additionally, the scope change indicated in the CVSS vector means that exploitation could affect resources beyond the initially vulnerable component, potentially impacting broader system integrity. The requirement for high privileges to exploit suggests internal threat actors or compromised accounts could leverage this vulnerability, emphasizing the need for strict access controls and monitoring. The absence of known exploits in the wild provides a window for proactive mitigation before active attacks emerge.

To mitigate this vulnerability, European organizations should first identify all instances of the ACF: Yandex Maps Field plugin in their web environments. Since no official patches are currently linked, organizations should implement immediate compensating controls: 1) Restrict high-privilege user access to only trusted personnel and enforce the principle of least privilege to reduce the risk of exploitation. 2) Implement robust input validation and output encoding on all user-supplied data fields related to the Yandex Maps Field to neutralize potential malicious scripts. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce the impact of XSS attacks. 4) Monitor web application logs and user activity for unusual behavior indicative of exploitation attempts. 5) Educate users with elevated privileges about the risks of interacting with untrusted content and the importance of cautious behavior. 6) Stay updated with Unreal Themes and Patchstack advisories for official patches or updates and apply them promptly once available. 7) Consider temporary removal or disabling of the affected plugin component if feasible until a patch is released.