CVE-2025-30950 identifies a stored Cross-site Scripting (XSS) vulnerability in the WP Wham All Currencies for WooCommerce plugin, which is widely used to manage multiple currencies in WooCommerce-based e-commerce websites. The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79. This flaw allows an attacker with low privileges (PR:L) to inject malicious scripts that are stored and later executed in the context of other users who view the affected pages, requiring user interaction (UI:R) to trigger. The vulnerability affects all versions up to 2.4.3 and has a CVSS 3.1 base score of 6.5, indicating medium severity. The attack vector is network-based (AV:N), with low attack complexity (AC:L), and the scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. Successful exploitation can lead to partial loss of confidentiality, integrity, and availability, such as session hijacking, defacement, or unauthorized actions on behalf of users. No public exploits have been reported yet, but the widespread use of WooCommerce and this plugin increases the risk profile. The vulnerability was reserved in March 2025 and published in June 2025, with no patches currently linked, highlighting the need for vigilance and interim mitigations.

For European organizations, particularly those operating e-commerce platforms using WooCommerce and the WP Wham All Currencies plugin, this vulnerability poses a significant risk. Exploitation could allow attackers to execute malicious scripts in the browsers of customers or administrators, potentially leading to theft of session cookies, redirection to phishing sites, unauthorized transactions, or defacement of web content. This undermines customer trust, may lead to regulatory non-compliance under GDPR due to data breaches, and could cause financial losses. The medium severity indicates that while the impact is not catastrophic, it is sufficient to disrupt business operations and damage reputation. Given the interconnected nature of European e-commerce and the importance of secure online transactions, the threat could have cascading effects, especially in countries with high WooCommerce market penetration. Additionally, attackers might leverage this vulnerability as a foothold for further attacks within the network.

Organizations should immediately inventory their WooCommerce installations to identify the presence of the WP Wham All Currencies plugin and its version. Although no official patches are currently available, administrators should apply any forthcoming updates from the vendor promptly. In the interim, restrict user input fields to disallow or sanitize HTML and JavaScript content rigorously, employing server-side validation and escaping output properly. Deploy Web Application Firewalls (WAFs) with specific rules to detect and block XSS payloads targeting this plugin. Conduct regular security audits and penetration testing focused on input validation weaknesses. Educate staff and users about the risks of XSS and encourage cautious behavior regarding unexpected links or inputs. Monitor logs for unusual activity indicative of attempted exploitation. Consider disabling or replacing the plugin with alternatives that have stronger security postures if immediate patching is not feasible. Finally, ensure that Content Security Policy (CSP) headers are implemented to reduce the impact of potential script injections.