CVE-2025-31737: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Client Showcase plugin, identified as CVE-2025-31737. The vulnerability affects versions up to and including 1.2.0 of the Client Showcase plugin. The issue was discovered by researcher SOPROBRO and was publicly disclosed on April 1, 2025. The vulnerability stems from insufficient input sanitization and output escaping in the plugin (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 6.5 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. This could enable attackers to inject redirects, advertisements, and other malicious HTML payloads that execute in visitors' browsers (Patchstack).

Currently, there is no official fix available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. The recommended mitigation is to remove and replace the plugin with an alternative solution (Patchstack).