CVE-2025-31615
Published: 31 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-31615 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, affecting the Simple Contact Forms WordPress plugin by owenr88. The issue impacts all versions of the plugin from n/a through 1.6.4 inclusive. Published on 2025-03-31, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity by tricking authenticated users into interacting via a crafted request, such as through CSRF, to inject and store malicious scripts. Once stored, the XSS payload executes in the context of other site visitors or administrators viewing affected pages, enabling low-level impacts on confidentiality, integrity, and availability with a changed scope.
Patchstack documents this as a CSRF-to-Stored XSS vulnerability specifically in Simple Contact Forms version 1.6.4, providing details at https://patchstack.com/database/Wordpress/Plugin/simple-contact-forms/vulnerability/wordpress-simple-contact-forms-plugin-1-6-4-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables remote exploitation of the web app (T1190) and attacker-controlled JavaScript execution in victim browsers (T1059.007).