CVE-2025-31418: 
WordPress vulnerability analysis and mitigation

CVE-2025-31418 is a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the noonnoo Gravel WordPress theme, affecting all versions through 1.6. The vulnerability was discovered by Kévin Mosbahi (Mika) and was publicly disclosed on April 2, 2025 (Patchstack Database).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It has received a CVSS v3.1 base score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability allows for Reflected XSS attacks due to insufficient input sanitization and output escaping (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts in pages that execute when users perform specific actions, such as clicking on a malicious link. This could lead to the execution of malicious scripts, including redirects, advertisements, and other HTML payloads that will be executed when guests visit the affected site (Patchstack Database).

While no official fix is available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website owners using the affected theme versions are advised to implement the virtual patch until an official fix becomes available (Patchstack Database).