CVE-2025-31884: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in WP CMS Ninja Norse Rune Oracle Plugin affecting versions through 1.4.3. The vulnerability was reported on December 17, 2024, and publicly disclosed on April 1, 2025. This security issue affects the WordPress plugin Norse Rune Oracle and requires Contributor or higher privileges to exploit (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue, falling under the OWASP Top 10 category A3: Injection. It has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when guests visit the affected site. The impact is considered low severity but could potentially affect website functionality and user experience (Patchstack).

The vulnerability has been patched in version 1.4.4 of the Norse Rune Oracle Plugin. Users are advised to update to version 1.4.4 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).