CVE-2025-30982 identifies a Stored Cross-site Scripting (XSS) vulnerability in the MyBookProgress software developed by Stormhill Media, affecting versions up to and including 1.0.8. The vulnerability stems from improper neutralization of input during the generation of web pages, allowing attackers to inject malicious JavaScript code that is persistently stored on the server and later executed in the browsers of other users who access the affected pages. This type of vulnerability is particularly dangerous because it can be used to steal session cookies, perform actions on behalf of authenticated users, deface websites, or deliver malware. The vulnerability does not require prior authentication, increasing its risk profile. Although no known exploits are currently reported in the wild, the presence of stored XSS in a web-facing application that manages user content or progress tracking represents a significant attack vector. The lack of a CVSS score indicates that the vulnerability is newly published and may not yet have been fully assessed, but the technical nature and impact of stored XSS are well understood in cybersecurity. The affected product, MyBookProgress, is used for tracking reading progress and managing digital content, which may involve sensitive user data and personalized content, increasing the potential impact of exploitation.

The exploitation of this stored XSS vulnerability can have severe consequences for organizations using MyBookProgress. Attackers can execute arbitrary scripts in the context of other users, leading to session hijacking, theft of sensitive information such as credentials or personal data, and unauthorized actions performed on behalf of users. This can result in data breaches, loss of user trust, and potential regulatory penalties if personal data is compromised. Additionally, attackers may use the vulnerability to deliver malware or conduct phishing campaigns targeting users of the platform. Since the vulnerability does not require authentication, any visitor or user interacting with the affected pages is at risk, broadening the scope of potential victims. The availability of the application could also be indirectly affected if attackers deface pages or disrupt normal operations. Organizations relying on MyBookProgress for digital content management or user engagement may experience reputational damage and operational disruptions if the vulnerability is exploited.

Until an official patch is released by Stormhill Media, organizations should implement several specific mitigations to reduce risk. First, apply strict input validation on all user-supplied data, ensuring that potentially dangerous characters are sanitized or rejected before storage. Second, implement context-aware output encoding on all dynamic content rendered in web pages to prevent execution of injected scripts. Third, employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any successful injection. Fourth, conduct regular security audits and code reviews focusing on input handling and output generation in the MyBookProgress application. Fifth, monitor web server logs and user activity for unusual patterns indicative of XSS exploitation attempts. Finally, educate users about the risks of clicking suspicious links or entering sensitive information on untrusted pages, as social engineering may accompany exploitation attempts. Organizations should also prepare to deploy patches promptly once they become available from the vendor.