CVE-2025-31853: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Smartarget Popup WordPress plugin, affecting versions up to 1.4. The vulnerability was identified by Nguyen Khanh Hao from HPT Vietnam and was officially disclosed on April 1, 2025. This security issue requires administrator-level privileges to exploit (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 score of 5.9 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, high privileges, and user interaction to exploit (NVD).

The vulnerability allows authenticated users with administrator privileges to inject malicious scripts into the website. These scripts can be used to create redirects, insert unauthorized advertisements, and execute other HTML payloads that will be triggered when visitors access the affected site (Patchstack).

As of the disclosure date, no official fix has been made available for this vulnerability. Given the low severity impact and the requirement for administrative privileges, the vulnerability is considered low priority for patching (Patchstack).