CVE-2025-31567

Vulnerability

Description The themesflat-addons-for-elementor plugin for WordPress versions 2.3.1 and earlier contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw, cataloged as CVE-2025-31567, enables authenticated users with certain privileges to inject arbitrary scripts that are stored on the server and later executed when other users view the affected pages [1].

Exploitation

Conditions Exploitation requires a privileged user role to perform an action such as submitting a form or clicking a crafted link. The attacker must have the ability to inject malicious payloads into fields that are not properly sanitized. Once injected, the script is stored and executed in the context of visitors' browsers without further user interaction [1].

Impact

If successfully exploited, this vulnerability allows an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads. When visitors access the compromised page, the script executes, potentially leading to data theft, session hijacking, or defacement. The vulnerability is considered medium severity (CVSS 6.5) and has been noted as potentially used in mass-exploit campaigns against multiple websites [1].

Mitigation

The vendor has released version 2.3.2 which resolves the issue by properly sanitizing input. Users are strongly advised to update to this version immediately. For sites unable to update, a workaround is to restrict access to plugin settings to trusted administrators only. Patchstack users can enable auto-updates for vulnerable plugins [1].