CVE-2025-31019: 
WordPress vulnerability analysis and mitigation

Authentication Bypass Using an Alternate Path or Channel vulnerability affects miniOrange Password Policy Manager WordPress plugin versions through 2.0.4. The vulnerability was discovered by Rafie Muhammad and was assigned CVE-2025-31019 on June 9, 2025. The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) (Wiz, NVD).

The vulnerability is classified as an Authentication Bypass Using an Alternate Path or Channel (CWE-288). It has been assigned a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, and high impacts on confidentiality, integrity, and availability (NVD, Wiz).

The vulnerability allows authentication abuse that can be exploited by a malicious actor to perform actions which normally should only be executed by higher privileged users. These actions might allow the attacker to gain admin access to the website (Patchstack).

Users are advised to update to version 2.0.5 or later of the Password Policy Manager plugin to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).