CVE-2025-31061

Vulnerability

Overview

The Wishlist plugin for WordPress (versions 2.1.0 and below) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during page generation [1]. This allows an attacker to inject arbitrary web scripts into the application.

Exploitation

Details

To exploit this vulnerability, an attacker must craft a malicious link or request containing the XSS payload and trick a privileged user (e.g., an administrator) into clicking it. User interaction is required, as the victim must visit a crafted page or submit a form [1]. The attack does not require authentication on the attacker's part but depends on the victim's session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML content [1]. Given that this vulnerability is expected to be used in mass exploitation campaigns, it poses a moderate risk to affected sites.

Mitigation

The vendor has not yet released a patched version, but Patchstack has provided a mitigation rule to block attacks until an official patch is available [1]. Users are strongly advised to update the plugin as soon as a fix is released, or apply the mitigation rule immediately.