CVE-2025-31391: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in regen Script Compressor WordPress plugin, which allows Stored XSS attacks. The vulnerability affects Script Compressor versions through 1.7.1 and was disclosed on April 9, 2025. The vulnerability has been assigned CVE-2025-31391 and received a CVSS v3.1 base score of 7.1 (HIGH) (NVD, Patchstack).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and allows unauthenticated attackers to perform actions on behalf of authenticated users. The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges but does need user interaction, and can affect resources beyond the security scope of the affected component (NVD).

The vulnerability combines CSRF with Stored XSS capabilities, potentially allowing attackers to execute unwanted actions under the authentication of higher privileged users and store malicious scripts that can be executed later. This dual nature of the vulnerability increases its severity as it can lead to both unauthorized actions and persistent malicious code execution (Patchstack).

Currently, there is no official fix available for this vulnerability as indicated in the vulnerability report. Website administrators running the affected versions of Script Compressor (<=1.7.1) should consider removing or disabling the plugin until a patch is released (Patchstack).