CVE-2025-31017: 
WordPress vulnerability analysis and mitigation

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability was discovered in Robert Noakes Nav Menu Manager WordPress plugin affecting versions through 3.2.5. The vulnerability was disclosed on April 9, 2025, and has been assigned CVE-2025-31017 (NVD, Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low impact on confidentiality, integrity, and availability (C:L/I:L/A:L) (Patchstack).

This vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The vulnerability requires Contributor-level access or higher to exploit (Patchstack).

The vulnerability has been fixed in version 3.2.6 of the Nav Menu Manager plugin. Users are advised to update to version 3.2.6 or later to remove the vulnerability. The security issue has been assessed as having a low severity impact and is unlikely to be exploited (Patchstack).