CVE-2025-31556

Vulnerability

Overview

The IMPress for IDX Broker plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw affects all versions up to and including 3.2.3, allowing attackers to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users visit affected pages [1].

Exploitation

Details

Exploitation requires an authenticated user with at least contributor-level privileges. The attacker must craft a malicious payload and submit it via a vulnerable input field. While the vulnerability can be initiated by a privileged role, successful execution also requires another user (such as an administrator or visitor) to interact with the stored content—for example, by clicking a link or viewing a crafted page [1].

Impact

If exploited, an attacker can inject malicious scripts that may perform actions such as redirecting visitors to external sites, displaying unauthorized advertisements, or stealing session cookies. This can lead to further compromise of the WordPress site and its users [1].

Mitigation

The vendor has released version 3.2.4, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates for vulnerable plugins via Patchstack or consulting a hosting provider is recommended [1].