CVE-2025-31029

Vulnerability

Overview CVE-2025-31029 is a Stored Cross-Site Scripting (XSS) vulnerability found in the replyMail plugin for WordPress, affecting versions through 1.2.0. The root cause is improper neutralization of user-supplied input during web page generation, allowing persistent injection of malicious scripts into pages served by the plugin [1]. This class of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites, regardless of their traffic or popularity [1].

Exploitation

Details Exploitation requires an authenticated user with at least contributor-level privileges to inject a crafted payload via a vulnerable field (e.g., a form input or email template). The payload is stored on the server and executed in the browsers of any user visiting the affected page, including administrators. No additional user interaction is needed beyond viewing the compromised page, making it a high-privilege, low-complexity attack vector [1].

Impact

A successful attack allows an unauthenticated attacker to execute arbitrary JavaScript in the context of a victim’s session. This can lead to session hijacking, forced actions (such as creating admin accounts or modifying settings), and exfiltration of sensitive data. The CVSS v3 score of 7.1 (High) reflects the potential for significant confidentiality, integrity, and availability impacts [1].

Mitigation

Status No patched version has been released as of the publication date. Users are strongly advised to update the plugin as soon as a fix becomes available. Until then, administrators should review user roles and consider disabling the plugin or applying a web application firewall (WAF) rule to block script injection attempts. Given the active exploitation landscape, immediate action is recommended [1].