CVE-2025-31745: 
WordPress vulnerability analysis and mitigation

The Subscription Form for Feedblitz WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-31745, affecting versions up to and including 1.0.9. The vulnerability was discovered by researcher 0xd4rk5id3 and publicly disclosed on April 1, 2025. The issue stems from insufficient input sanitization and output escaping in the plugin's functionality (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The issue requires an authenticated user with contributor-level access or higher to exploit (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, defacement, or other malicious actions (WPScan).

Currently, there is no known fix available for this vulnerability. The software appears to be abandoned, as it hasn't received updates for an extended period. Users are strongly advised to consider removing and replacing the plugin with a secure alternative (Patchstack).