CVE-2025-31625

The WordPress Useinfluence plugin versions up to and including 1.0.8 contain a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [CVE description]. This flaw falls under the category of Improper Neutralization of Input During Web Page Generation, enabling an attacker to store malicious scripts that execute when the page is viewed by other users.

Exploitation requires a privileged user (such as an administrator) to perform an action like clicking a crafted link or visiting a specially prepared page, as user interaction is required [1]. The attack is initiated by a lower-privileged role, but the malicious payload is stored and executed when a higher-privileged user accesses the affected page. This can lead to forced execution of unwanted actions under the victim's current authentication.

A successful attack could allow an attacker to perform actions on behalf of the compromised administrator, including modifying site settings, injecting additional malicious code, or exfiltrating sensitive data. The CVSS score of 7.1 (High) reflects the significant impact of this vulnerability when combined with the required user interaction and privileged context [1].

As of the publication date (March 31, 2025), a patched version is not explicitly mentioned; users are advised to update the plugin if a fix becomes available, or contact their hosting provider for assistance. The vulnerability is known to be used in mass-exploit campaigns, making immediate action critical [1].