CVE-2025-10636: 
WordPress vulnerability analysis and mitigation

The NS Maintenance Mode for WP WordPress plugin through version 1.3.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on October 1, 2025, and publicly disclosed on October 30, 2025. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations where the plugin is active (WPScan, NVD).

The vulnerability stems from insufficient sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite setups. The vulnerability has been assigned a CVSS v3.1 score of 3.5 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated users with high privileges to inject malicious JavaScript code into the site through the plugin's settings. When exploited, this could lead to stored XSS attacks that execute when other users view affected pages. This is particularly concerning in multisite WordPress installations where the unfiltered_html capability is typically restricted (WPScan).

Currently, there is no known fix available for this vulnerability. Users should monitor for updates from the plugin developer and consider implementing additional security controls or temporarily disabling the plugin if the risk is deemed too high (WPScan).