CVE-2025-30983

Vulnerability

Overview The Card flip image slideshow plugin for WordPress versions through 1.5 suffers from a DOM-Based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, which means the plugin fails to sanitize or escape data before inserting it into the DOM [1].

Exploitation

Conditions Exploitation requires user interaction — a privileged user (such as an admin) must click a crafted link, visit a specially prepared page, or submit a form that triggers the vulnerable functionality. This opens the door for an attacker who can convince a legitimate user to perform such an action [1].

Impact

A successful attack allows a malicious actor to inject arbitrary scripts into the website. These scripts can execute in the context of the visitor's browser, enabling actions like redirecting users to malicious sites, displaying unwanted advertisements, or delivering other HTML payloads [1]. The CVSS v3 base score is 6.5 (Medium), reflecting the need for user interaction and the potential for widespread, automated exploitation campaigns.

Mitigation

Immediate action is advised: update the plugin to a patched version if available. As no version beyond 1.5 is listed, users should check for updates from the developer or consider alternative plugins. If updating is not possible, contact your hosting provider or a web developer for assistance [1].