CVE-2025-31039: 
WordPress vulnerability analysis and mitigation

An XML External Entity (XXE) vulnerability was discovered in the WordPress Category Icon plugin, identified as CVE-2025-31039. The vulnerability affects Category Icon versions through 1.0.2 and was initially reported by security researcher Drew Webber (mcdruid) on May 4, 2025, with public disclosure on June 3, 2025 (Wiz Report, Patchstack).

The vulnerability is classified as an Improper Restriction of XML External Entity Reference (CWE-611). It received a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, high privileges required, no user interaction needed, and potential for high impacts on confidentiality, integrity, and availability (NVD, Wiz Report).

The XXE vulnerability could enable malicious actors to inject arbitrary XML, potentially leading to sensitive information disclosure, denial of service conditions, and server-side request forgery. The specific impact may vary case by case, though the vulnerability has been assessed as having a critical severity rating (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects Category Icon versions up to 1.0.2, and no patched version has been released (Patchstack).