Medium severity6.5NVD Advisory· Published Apr 1, 2025· Updated Apr 23, 2026No known patch

CVE-2025-30613

No known patch is available for this vulnerability.

The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.

CVE-2025-30613

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in N-Media Nmedia MailChimp nmedia-mailchimp-widget allows Stored XSS.This issue affects Nmedia MailChimp: from n/a through <= 5.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Nmedia MailChimp plugin (<=5.4) allows script injection; plugin removed from WordPress.org, no patch.

Vulnerability

Stored cross-site scripting (XSS) vulnerability in the Nmedia MailChimp plugin for WordPress (slug: nmedia-mailchimp-widget) through version 5.4. The plugin fails to properly neutralize user input during web page generation, allowing arbitrary HTML and JavaScript to be stored and executed. [1]

Exploitation

An attacker with subscriber-level access or higher can inject malicious scripts via input fields that are not sanitized. The injected script is stored and executed in the context of any user viewing the affected page, including administrators. No authentication is required for exploitation beyond the ability to submit the form. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of other users, leading to session hijacking, defacement, or theft of sensitive information. The attacker can perform actions on behalf of the victim, including modifying WordPress settings or exfiltrating data. [1]

Mitigation

No patched version is available. The plugin has been removed from the WordPress.org plugin directory as of March 18, 2025, due to a security issue. Users are advised to uninstall the plugin immediately and replace it with an alternative subscription service. [1]

References

[CLOSED] N-Media MailChimp Subscription

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Nmedia Mailchimp Widgetinferred
Range: <=5.4
Package: https://wordpress.org/plugins/nmedia-mailchimp-widget
N-Media/Nmedia MailChimpllm-create
Range: <=5.4

Patches

Plugin removedN-Media MailChimp Subscriptionnmedia-mailchimp-widget

This plugin has been removed from the WordPress.org directory on 2025-03-18 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.

Source: api.wordpress.org · directory page

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/nmedia-mailchimp-widget/vulnerability/wordpress-nmedia-mailchimp-5-4-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000