Cyber Resilience

CVE-2025-31102

High

Published: 28 March 2025

Published
28 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0035 57.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31102 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-31102 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the Hostel WordPress plugin developed by Bob Hostel. The flaw impacts all versions of the plugin up to and including 1.1.5.5, allowing malicious input to be reflected back in web pages without proper sanitization. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and changed scope.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network by crafting malicious links or payloads that require user interaction, such as tricking a site administrator or authenticated user into visiting a specially crafted URL on the vulnerable Hostel plugin site. Successful exploitation enables script injection in the victim's browser context, potentially leading to low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), including theft of session cookies, keystroke logging, or phishing within the site's scope, amplified by the changed scope (S:C) to affect client-side data.

Patchstack advisories document this issue and provide details on the vulnerability in the WordPress Hostel plugin version 1.1.5.5; practitioners should consult https://patchstack.com/database/Wordpress/Plugin/hostel/vulnerability/wordpress-hostel-plugin-1-1-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation guidance, such as updating to a patched version if available or implementing input validation and content security policies.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Reflected XSS in public-facing WordPress plugin enables T1190 exploitation, T1059.007 JavaScript execution via script injection, and T1539 stealing web session cookies.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23538Shared CWE-79
CVE-2026-27099Shared CWE-79
CVE-2025-12716Shared CWE-79
CVE-2026-34563Shared CWE-79
CVE-2025-68883Shared CWE-79
CVE-2024-13875Shared CWE-79
CVE-2026-24778Shared CWE-79
CVE-2025-64539Shared CWE-79
CVE-2025-23683Shared CWE-79
CVE-2024-13055Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of information inputs to prevent malicious payloads like XSS scripts from being accepted and reflected in web pages.

prevent

Mandates filtering of information outputs to neutralize unsanitized input during web page generation, directly mitigating reflected XSS.

prevent

Ensures timely remediation of flaws such as the improper input neutralization in the Hostel plugin, eliminating the vulnerability through patching.

References