CVE-2025-30991 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Shahjada Premium Packages product up to version 6.0.2. Stored XSS occurs when malicious input is improperly neutralized during web page generation and is persistently stored on the server, later served to users without adequate sanitization or encoding. This vulnerability allows an attacker with at least low privileges (PR:L) and requiring user interaction (UI:R) to inject malicious scripts into web pages generated by the Premium Packages application. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The CVSS v3.1 base score is 6.5, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), and scope change (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. The vulnerability impacts confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no patches or mitigations have been officially released yet. The vulnerability was reserved in March 2025 and published in June 2025, indicating recent discovery and disclosure. The lack of patch links suggests that users of Shahjada Premium Packages should be vigilant and consider interim protective measures until an official fix is available.

For European organizations using Shahjada Premium Packages, this vulnerability poses a tangible risk of client-side attacks that can compromise user sessions and data confidentiality. Stored XSS can be leveraged to steal authentication tokens, perform unauthorized actions on behalf of users, or deliver malware payloads. Organizations in sectors with sensitive user data such as finance, healthcare, and e-commerce are particularly at risk. The scope change in the CVSS vector implies that exploitation could impact multiple components or users beyond the initially targeted system, increasing the potential damage. Given the requirement for low privileges and user interaction, attackers might exploit social engineering or compromised accounts to inject malicious scripts. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure. European organizations must consider the regulatory implications under GDPR if personal data is compromised through such attacks, potentially leading to legal and reputational consequences.

Until an official patch is released, European organizations should implement several targeted mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting Shahjada Premium Packages. 2) Conduct thorough input validation and output encoding on all user-supplied data within the application, especially in areas where the Premium Packages product integrates or displays user content. 3) Enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, limiting the impact of injected scripts. 4) Review and tighten user privilege assignments to minimize the number of users who can input data that is rendered without sanitization. 5) Increase user awareness and training to recognize phishing or social engineering attempts that could facilitate exploitation. 6) Monitor application logs and user activity for unusual behavior indicative of attempted XSS exploitation. 7) Prepare for rapid deployment of patches once Shahjada releases an official fix by maintaining an up-to-date inventory of affected systems and establishing a patch management process.