CVE-2025-31401: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress plugin MMX – Make Me Christmas, affecting all versions up to and including 1.0.0. The vulnerability was discovered by researcher johska and was publicly disclosed on April 9, 2025, receiving the identifier CVE-2025-31401. The issue stems from missing or incorrect nonce validation on certain functions (WPScan).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue is classified under CWE-352 (Cross-Site Request Forgery) and allows for stored Cross-Site Scripting attacks. The technical assessment indicates that the vulnerability requires no privileges (unauthenticated) to exploit, though it does require user interaction (Patchstack).

The vulnerability enables unauthenticated attackers to update settings and inject malicious web scripts through forged requests, provided they can deceive a site administrator into performing specific actions such as clicking on a malicious link. This could lead to stored cross-site scripting attacks, potentially compromising the website's security (WPScan).

Currently, there is no official fix available for this vulnerability. The issue affects all versions up to and including 1.0.0 of the MMX – Make Me Christmas plugin (Patchstack).