CVE-2025-30951 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the Stiofan BlockStrap Page Builder - Bootstrap Blocks product. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious actors to inject and store arbitrary scripts within the application. When other users access the affected pages, these scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability affects versions up to 0.1.36, with no specific earliest affected version identified. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction is needed to trigger the exploit. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality, integrity, and availability loss. No known exploits are currently reported in the wild, and no patches have been linked yet. Stored XSS vulnerabilities are particularly dangerous as they can affect multiple users and persist over time, increasing the attack surface and potential damage. The vulnerability is significant for web applications using the BlockStrap Page Builder, which is a tool for building Bootstrap-based web pages, often used in content management systems or custom website solutions.

For European organizations, this vulnerability poses a risk primarily to those using the Stiofan BlockStrap Page Builder in their web infrastructure. Exploitation could lead to theft of user credentials, session tokens, or other sensitive data, enabling attackers to impersonate users or escalate privileges. This can result in data breaches, unauthorized transactions, or defacement of websites, damaging organizational reputation and potentially violating GDPR requirements regarding data protection and breach notification. The medium severity suggests that while the impact is not catastrophic, it is significant enough to warrant prompt attention, especially for organizations handling sensitive or personal data. The requirement for user interaction means phishing or social engineering could be used to lure users into triggering the exploit. The changed scope indicates that the vulnerability could affect components beyond the immediate application, possibly impacting integrated systems or third-party services. European organizations with customer-facing websites or intranet portals built with this page builder are at risk of service disruption, data leakage, and compliance issues.

1. Immediate mitigation should include reviewing and sanitizing all user inputs on the affected web pages to ensure proper encoding and neutralization of potentially malicious scripts. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 3. Monitor web application logs for unusual input patterns or script injections indicative of exploitation attempts. 4. Restrict privileges for users who can input content into the page builder to minimize the risk of malicious content insertion. 5. Educate users about phishing and social engineering risks to reduce the likelihood of user interaction triggering the exploit. 6. Since no patch is currently linked, maintain close communication with the vendor (Stiofan) for updates and apply patches as soon as they become available. 7. Conduct regular security assessments and penetration testing focusing on input validation and XSS vulnerabilities in the affected application. 8. Consider deploying Web Application Firewalls (WAF) with rules tailored to detect and block XSS payloads targeting the BlockStrap Page Builder.