CVE-2025-30972

A stored cross-site scripting (XSS) vulnerability exists in the WooCommerce Line Notify plugin (versions ≤ 1.1.7) for WordPress. The issue stems from improper neutralization of user input during web page generation, where the plugin fails to sanitize or escape data before storing it. This allows an attacker with the requisite privileges to inject arbitrary HTML and JavaScript payloads that will be persistently stored on the server [1].

Exploitation of this vulnerability requires a privileged user role (such as an administrator) to perform an action that saves the malicious payload—for example, submitting a crafted form or clicking a specially prepared link. The attacker does not need to trick a site visitor directly; instead, the stored script will execute automatically when any guest visits an affected page, enabling broader reach without additional user interaction [1].

The impact of a successful exploit includes the ability to inject malicious scripts, such as advertisements, redirects, or other HTML payloads, into the website. These scripts execute in the browsers of visitors, potentially leading to data theft, session hijacking, or defacement. The CVSS v3 base score of 7.1 (High) reflects this capability, and the vulnerability is considered moderately dangerous with a likelihood of being used in mass-exploit campaigns targeting thousands of sites regardless of traffic size [1].

As a mitigation, the affected plugin should be updated to a patched version as soon as it becomes available. The vendor recommends updating immediately; if an update is not yet released, a mitigation rule from Patchstack can block attacks until an official patch can be safely applied. Site administrators unable to update immediately should consult their hosting provider or web developer for assistance [1].