CVE-2025-31091: 
WordPress vulnerability analysis and mitigation

CVE-2025-31091 is a Cross-site Scripting (XSS) vulnerability discovered in CreativeMindsSolutions CM Header and Footer WordPress plugin. The vulnerability was identified on March 20, 2025, and publicly disclosed on April 3, 2025. This security flaw affects all versions of CM Header and Footer through version 1.2.4. The vulnerability has been classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue (NVD, Patchstack).

The vulnerability is categorized as a Stored Cross-Site Scripting (XSS) issue that can be exploited by authenticated users with Subscriber or higher privileges. It has received a CVSS v3.1 base score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with impacts on confidentiality, integrity, and availability all rated as low (NVD, Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when visitors access the affected site, potentially compromising the security of both the website and its users (Patchstack).

The vulnerability has been patched in version 1.2.5 of the CM Header and Footer plugin. Users are advised to update to version 1.2.5 or later immediately. For users of Patchstack security services, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).