CVE-2025-31918: 
WordPress vulnerability analysis and mitigation

A critical privilege escalation vulnerability (CVE-2025-31918) was discovered in Simple Business Directory Pro WordPress plugin affecting versions through 15.4.8. The vulnerability was disclosed on May 22, 2025, and is characterized by an Incorrect Privilege Assignment issue that enables privilege escalation. The vulnerability received a CVSS v3.1 base score of 9.8 (Critical) (Patchstack).

The vulnerability is classified as CWE-266 (Incorrect Privilege Assignment) and has received a Critical CVSS v3.1 score of 9.8 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (Patchstack).

The vulnerability allows malicious actors to escalate their privileges, potentially gaining full control of the affected website. The high CVSS score of 9.8 indicates severe potential impacts on system security, with possible complete compromise of confidentiality, integrity, and availability of the affected system (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement immediate mitigation measures (Patchstack).