CVE-2025-31778: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-31778 is a Cross-Site Scripting (XSS) vulnerability discovered in the WordPress plugin Donate Me, affecting versions up to and including 1.2.5. The vulnerability was discovered by Khang Duong and publicly disclosed on April 1, 2025. This security flaw is classified as an Improper Neutralization of Input During Web Page Generation vulnerability that allows for Reflected XSS attacks (Patchstack, WPScan).

The vulnerability is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The issue stems from insufficient input sanitization and output escaping in the plugin's code. The vulnerability requires subscriber-level access or higher to exploit (Patchstack).

When successfully exploited, this vulnerability allows authenticated attackers with subscriber-level privileges or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, defacement, or other malicious actions (WPScan).

As there is no official fix available for this vulnerability, the recommended mitigation strategy is to remove and replace the Donate Me plugin with an alternative solution. Deactivating the plugin alone does not remove the security threat unless additional protective measures are implemented (Patchstack).