CVE-2025-30950 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin 'All Currencies for WooCommerce' developed by WP Wham. This plugin facilitates currency conversion features for WooCommerce-based e-commerce sites. The vulnerability arises due to improper neutralization of input during web page generation, allowing malicious actors to inject and store arbitrary JavaScript code within the plugin's data fields. When a victim user or administrator accesses the affected page, the malicious script executes in their browser context. The CVSS 3.1 base score is 6.5, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This means the attack can be performed remotely over the network with low attack complexity, requires privileges (likely a logged-in user with some level of access), and user interaction (such as viewing a page) is necessary. The vulnerability impacts confidentiality, integrity, and availability to a limited extent due to the stored nature of the XSS and the potential for session hijacking, defacement, or further exploitation. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects all versions up to 2.4.4 of the plugin. Stored XSS in e-commerce plugins is particularly dangerous as it can target both site administrators and customers, potentially leading to theft of credentials, payment information, or unauthorized actions on behalf of users.

For European organizations operating WooCommerce-based e-commerce platforms using the 'All Currencies for WooCommerce' plugin, this vulnerability poses a significant risk. Exploitation could lead to compromise of user sessions, theft of sensitive customer data including payment information, and unauthorized transactions. The stored nature of the XSS means that malicious scripts can persist and affect multiple users over time, increasing the attack surface. This can damage brand reputation, lead to regulatory non-compliance under GDPR due to data breaches, and result in financial losses. Given the widespread use of WooCommerce in Europe and the importance of e-commerce, especially in countries with large online retail sectors such as Germany, France, and the UK, the impact could be substantial. Additionally, attackers could leverage this vulnerability to pivot to administrative accounts, potentially leading to full site compromise or defacement, further exacerbating the damage.

Organizations should immediately audit their WooCommerce installations to identify if the 'All Currencies for WooCommerce' plugin is in use and verify the version. Until an official patch is released, it is recommended to disable or remove the plugin to eliminate the attack vector. Implement strict input validation and output encoding on all user-supplied data within the plugin's scope to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor logs and user activity for suspicious behavior indicative of exploitation attempts. Limit plugin access to trusted users only, and enforce the principle of least privilege to reduce the risk from compromised accounts. Regularly update WordPress core, WooCommerce, and all plugins to their latest versions once patches become available. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense.