CVE-2025-31394: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress More Mime Type Filters plugin, tracked as CVE-2025-31394. The vulnerability affects versions up to 0.3 of the plugin and was discovered by researcher johska on March 31, 2025, with public disclosure on April 9, 2025. This security flaw involves improper neutralization of input during web page generation, allowing for stored XSS attacks (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The technical classification identifies this as a CWE-79 type vulnerability, specifically relating to improper neutralization of input during web page generation. The vulnerability combines both Cross-Site Request Forgery (CSRF) and Stored XSS capabilities (NVD, Patchstack).

The vulnerability allows malicious actors to force higher privileged users to execute unwanted actions under their current authentication through CSRF, combined with the ability to store and execute malicious scripts through XSS. This dual-nature vulnerability presents a significant risk to affected WordPress installations (Patchstack).

Currently, there is no official fix available for this vulnerability. Given the lack of an official patch, website administrators running the affected versions of the More Mime Type Filters plugin should consider either removing the plugin or implementing additional security controls to mitigate the risk (Patchstack).