CVE-2025-31583

High

Published: 31 March 2025

Published

31 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0008 23.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-31583 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Copy Media URL WordPress plugin by Ashish Ajani that enables Stored XSS. The issue affects the plugin from unknown initial versions through version 2.1 inclusive.

Attackers require no privileges and can exploit this over the network with low attack complexity, though user interaction is needed. Exploitation changes the scope and results in low impacts to confidentiality, integrity, and availability, yielding a CVSS v3.1 base score of 7.1.

The Patchstack advisory provides further details on this vulnerability in the WP Copy Media URL plugin version 2.1 at https://patchstack.com/database/Wordpress/Plugin/wp-copy-media-url/vulnerability/wordpress-wp-copy-media-url-plugin-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The CVE describes a CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications for initial access or malicious script injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Plugin/wp-copy-media-url/vulnerability/wordpress-wp-copy-media-url-plugin-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com