CVE-2025-31819: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in the Nova Blocks WordPress plugin by Pixelgrade, affecting versions up to 2.1.8. The vulnerability was reported on September 30, 2024, and officially published on April 1, 2025 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low impact on confidentiality, integrity, and availability (C:L/I:L/A:L) (NVD).

The vulnerability could allow a malicious actor with contributor-level access or higher to inject malicious scripts into the website. When executed, these scripts could potentially lead to unauthorized redirects, malicious advertisement insertions, and other HTML payload executions when visitors access the affected site (Patchstack).

As of the vulnerability disclosure, no official fix has been made available for this security issue. Given its low severity impact and unlikely exploitation potential, immediate mitigation may not be critical (Patchstack).