CVE-2025-31435

CVE-2025-31435 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Efficient Scripts Microblog Poster (microblog-poster) WordPress plugin that enables Stored Cross-Site Scripting (XSS). The vulnerability affects all versions of the plugin from its initial release through version 2.1.6 inclusive. It was published on 2025-03-28 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network without requiring authentication privileges. Exploitation relies on user interaction, typically by tricking a legitimate user—such as an authenticated WordPress administrator—into visiting a malicious webpage that submits a forged request to the vulnerable plugin endpoint. Successful exploitation results in stored XSS, allowing attackers to inject and persist malicious scripts on the site, leading to low impacts on confidentiality, integrity, and availability within a changed scope.

The Patchstack advisory provides further details on this WordPress plugin vulnerability, including assessment and potential mitigation steps, accessible at https://patchstack.com/database/Wordpress/Plugin/microblog-poster/vulnerability/wordpress-microblog-poster-plugin-2-1-6-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve.