CVE-2025-31812: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the Tomas BuddyPress Members Only WordPress plugin, tracked as CVE-2025-31812. The vulnerability affects versions through 3.5.3 of the plugin and was discovered by researcher theviper17y. The issue was reported on September 30, 2024, and publicly disclosed on April 1, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires Contributor or higher privileges to exploit (NVD, Patchstack).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects versions up to and including 3.5.3 of the BuddyPress Members Only plugin (Patchstack).