CVE-2025-31860: 
WordPress vulnerability analysis and mitigation

CVE-2025-31860 is a Stored Cross-Site Scripting (XSS) vulnerability affecting WPeka WP AdCenter plugin versions through 2.5.9. The vulnerability was discovered and disclosed on April 1, 2025, and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction to exploit. The scope is changed, with low impacts on confidentiality, integrity, and availability (Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when guests visit the affected site, potentially compromising user security and website integrity (Patchstack).

Currently, there is no official fix available for this vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).