CVE-2025-30982
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Stored XSS vulnerability in MyBookProgress WordPress plugin up to version 1.0.8 allows attackers to inject malicious scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in MyBookProgress WordPress plugin up to version 1.0.8 allows attackers to inject malicious scripts.
Vulnerability
The MyBookProgress plugin for WordPress, developed by Stormhill Media, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. Versions from n/a through 1.0.8 are affected. The vulnerability exists in input fields that are saved and later displayed without proper sanitization, allowing arbitrary script injection.
Exploitation
An attacker with the ability to submit content (e.g., a contributor or author role) can inject malicious JavaScript into a field that is stored in the database. When an administrator or other user views the page containing the stored input, the script executes in their browser. No special network position is required beyond standard WordPress access.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or further privilege escalation if an administrator is targeted. The impact is limited to the WordPress site's user base and does not extend to the server itself.
Mitigation
The plugin has been closed and removed from the WordPress.org plugin directory as of January 16, 2025, due to a security issue [1]. No patched version is available. Users who have the plugin installed should uninstall it immediately. There is no known workaround; removal is the only safe course of action.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0.8
Patches
0mybookprogressThis plugin has been removed from the WordPress.org directory on 2025-01-16 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.