CVE-2025-30900 MEDIUM

CVE-2025-30900: WordPress Zoho Billing – Embed Payment Form plugin <= 4.0 - Stored Cross Site Scripting (XSS) vulnerability

Vendor Zoho Subscriptions
Product Zoho Billing – Embed Payment Form
Weakness CWE-79 · XSS
Published March 27, 2025
Last update May 10, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing – Embed Payment Form allows Stored XSS. This issue affects Zoho Billing – Embed Payment Form: from n/a through 4.0.

Explanation of Vulnerability in Simple Terms

02Summary

The Zoho Billing Embed Payment Form contains a cross-site scripting (XSS) vulnerability that allows an attacker to inject malicious scripts into the payment form. An authenticated user must visit a crafted link for the attack to succeed. The injected script can steal session data, modify form content, or perform actions on behalf of the victim. This affects all versions up to 4.0.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript into the payment form to steal user data or perform unauthorized actions.

Potential impact on your site

04Site Impact

Customer payment data and session tokens could be compromised if users interact with crafted payment form links.

Conditions required to exploit

05Prerequisites

Attacker needs a low-privilege account and must trick a user into clicking a malicious link.

Key dates

06Disclosure timeline

March 27, 2025 CVE published
May 10, 2025 Record updated