CVE-2025-31395: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in a.ankit Easy Custom CSS WordPress plugin that allows Stored Cross-Site Scripting (XSS). The vulnerability affects Easy Custom CSS versions through 1.0, with no fix currently available. The issue was initially reported on March 31, 2025, and was publicly disclosed on April 9, 2025 (Patchstack).

The vulnerability has been assigned CVE-2025-31395 and received a CVSS v3.1 Base Score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R) (Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The impact affects confidentiality, integrity, and availability, all rated as Low according to the CVSS scoring (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects version 1.0 and earlier versions of the Easy Custom CSS plugin (Patchstack).