CVE-2025-31604: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Cal.com WordPress plugin versions through 1.0.0. The vulnerability was discovered on March 31, 2025, and is tracked as CVE-2025-31604. This security issue affects the Cal.com plugin and allows attackers to inject malicious scripts that are stored on the target system (Patchstack).

The vulnerability is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) with a CVSS v3.1 score of 6.5 (Medium). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), requires user interaction (UI:R), and has a changed scope (S:C) with low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) (Patchstack).

When exploited, this vulnerability could allow malicious actors to inject scripts that execute when users visit the affected website. These scripts could be used to redirect users, inject unwanted advertisements, or execute other malicious HTML payloads in the context of the user's browser session (Patchstack).

No official fix is currently available for this vulnerability. The recommended mitigation is to remove and replace the software with an alternative solution, as the plugin is considered abandoned and unlikely to receive future updates or security fixes (Patchstack).