CVE-2025-30938 is a medium severity stored Cross-Site Scripting (XSS) vulnerability affecting the Broadly plugin for WordPress, specifically versions up to 3.0.2. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Stored XSS occurs when malicious input is saved by the application and later rendered in a web page without proper sanitization or encoding, allowing attackers to execute arbitrary JavaScript in the context of users' browsers. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The CVSS 3.1 vector indicates the attack can be performed remotely (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact includes low confidentiality, integrity, and availability impacts individually, but combined they can be significant for affected users. No known exploits are currently reported in the wild, and no patches are linked yet, indicating the need for vigilance and timely updates once available. The vulnerability is specific to the Broadly plugin, a WordPress extension used for customer engagement and reputation management, which is widely used by small to medium businesses to manage reviews and customer communications on WordPress sites.

For European organizations using WordPress sites with the Broadly plugin, this vulnerability poses a risk of client-side attacks that can compromise user data and trust. Stored XSS can lead to theft of session cookies or credentials of site administrators or customers, enabling further compromise of the website or user accounts. This can result in data breaches, reputational damage, and regulatory non-compliance under GDPR if personal data is exposed. The requirement for high privileges to exploit reduces the risk from anonymous attackers but increases concern if insider threats or compromised admin accounts exist. The scope change means that the attack can affect other components or users beyond the plugin itself, potentially amplifying the impact. European organizations in sectors such as e-commerce, professional services, and hospitality that rely on customer reviews and engagement through WordPress are particularly at risk. The absence of known exploits suggests a window for proactive mitigation before active exploitation occurs.

1. Immediately audit WordPress sites for the presence of the Broadly plugin and identify versions in use. 2. Monitor official Broadly and WordPress plugin repositories for patches addressing CVE-2025-30938 and apply updates promptly once available. 3. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the plugin’s input fields. 4. Enforce strict user privilege management to limit administrative access and reduce the risk of high-privilege account compromise. 5. Conduct regular security reviews and penetration testing focusing on input validation and output encoding in WordPress plugins. 6. Educate site administrators about the risks of stored XSS and the importance of cautious handling of user-generated content. 7. Consider temporary disabling or replacing the Broadly plugin with alternative solutions if immediate patching is not feasible. 8. Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the site.