CVE-2025-31562

The Uptime Robot Plugin for WordPress versions up to and including 2.3 contain a DOM-Based Cross-Site Scripting (XSS) vulnerability, CVE-2025-31562. The root cause is improper neutralization of user input during web page generation, which allows an attacker to inject arbitrary JavaScript code that executes in the browser of a victim visiting the affected site.

Exploitation of this vulnerability requires user interaction, such as clicking a malicious link or visiting a crafted page [1]. No authentication is needed for the attacker to deliver the payload, but a privileged user (e.g., administrator) must perform the action that triggers the execution. The attack vector is network-based, and the vulnerability has a CVSS v3 score of 6.5 (Medium) [1].

A successful exploit could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, which execute when visitors access the website [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of sites regardless of their size or popularity, as noted in the advisory [1].

As an immediate mitigation, users should update the plugin to a patched version. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance [1]. No workaround or patch version has been disclosed at the time of publication, making the update the primary recommended action.