CVE-2025-31617

CVE-2025-31617 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the PostmarkApp Email Integrator WordPress plugin developed by Gagan Deep Singh. The flaw affects all versions of the plugin from its initial release through 2.4. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely by tricking authenticated users into performing unintended actions, such as submitting malicious requests via a crafted webpage, given the requirement for user interaction. Successful exploitation enables CSRF attacks that, as detailed in related advisories, can lead to stored cross-site scripting (XSS), allowing attackers to inject and persist malicious scripts executed in the context of other users viewing affected pages.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/postmarkapp-email-integrator/vulnerability/wordpress-postmarkapp-email-integrator-plugin-2-4-csrf-to-stored-xss-vulnerability?_s_id=cve) documents this as a CSRF-to-stored-XSS issue specifically in plugin version 2.4, providing technical details for security practitioners to assess and address the exposure in affected WordPress environments.