CVE-2025-30937 is a medium-severity vulnerability classified under CWE-79, which corresponds to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the WordPress plugin 'Responsify WP' developed by stefanledin, specifically versions up to and including 1.9.11. The issue is a Stored XSS, meaning that malicious input submitted by an attacker is stored persistently on the server and later rendered in web pages viewed by other users without proper sanitization or encoding. This allows attackers to inject arbitrary JavaScript code into pages generated by the plugin. The CVSS v3.1 score is 5.9, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes low confidentiality, integrity, and availability impacts, consistent with typical XSS attacks that can steal session tokens, perform actions on behalf of users, or deface content. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability was reserved in March 2025 and published in June 2025. Stored XSS in WordPress plugins is a common attack vector that can lead to session hijacking, phishing, or malware distribution within affected websites.

For European organizations using the Responsify WP plugin, this vulnerability poses a risk of client-side attacks that can compromise user sessions, steal sensitive information, or manipulate website content. Since WordPress is widely used across Europe for corporate, governmental, and small business websites, exploitation could lead to reputational damage, data breaches involving personal data protected under GDPR, and potential regulatory penalties. The requirement for high privileges to exploit somewhat limits the attack surface to users with elevated access, such as administrators or trusted contributors, but the changed scope means that the impact could extend beyond the plugin itself, potentially affecting other parts of the website or integrated services. The need for user interaction implies that attackers must trick users into triggering the malicious payload, which could be done via crafted URLs or embedded content. This vulnerability could be leveraged in targeted attacks against European organizations that rely on this plugin for their web presence, especially those handling sensitive user data or providing critical services online.

European organizations should immediately audit their WordPress installations to identify the presence of the Responsify WP plugin and its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack vector. If disabling is not feasible, strict input validation and output encoding should be implemented at the application level to sanitize user inputs and prevent script injection. Web Application Firewalls (WAFs) with rules targeting common XSS payloads can provide temporary protection. Additionally, organizations should enforce the principle of least privilege to restrict high-privilege user accounts and monitor administrative activities for suspicious behavior. User education to recognize phishing attempts and suspicious links can reduce the risk of user interaction exploitation. Regular backups and incident response plans should be updated to quickly recover from potential compromises. Once a patch becomes available, prompt application of updates is critical. Finally, security teams should monitor threat intelligence sources for any emerging exploits related to this vulnerability.