CVE-2025-31772: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WP Modal Popup with Cookie Integration WordPress plugin, identified as CVE-2025-31772. The vulnerability affects versions up to and including 2.4 of the plugin. The issue was discovered by researcher Pham Van Tam and was publicly disclosed on April 1, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 score of 5.9 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability specifically affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

The vulnerability allows authenticated attackers with administrator-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page. This could enable attackers to inject malicious scripts, redirects, advertisements, and other HTML payloads that execute when guests visit the affected site (Patchstack).

Currently, there is no official fix available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. The recommended mitigation strategy is to remove and replace the plugin with an alternative solution. Note that merely deactivating the software does not remove the security threat (Patchstack).