CVE-2025-31102
Published: 28 March 2025
Summary
CVE-2025-31102 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-31102 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the Hostel WordPress plugin developed by Bob Hostel. The flaw impacts all versions of the plugin up to and including 1.1.5.5, allowing malicious input to be reflected back in web pages without proper sanitization. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and changed scope.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network by crafting malicious links or payloads that require user interaction, such as tricking a site administrator or authenticated user into visiting a specially crafted URL on the vulnerable Hostel plugin site. Successful exploitation enables script injection in the victim's browser context, potentially leading to low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), including theft of session cookies, keystroke logging, or phishing within the site's scope, amplified by the changed scope (S:C) to affect client-side data.
Patchstack advisories document this issue and provide details on the vulnerability in the WordPress Hostel plugin version 1.1.5.5; practitioners should consult https://patchstack.com/database/Wordpress/Plugin/hostel/vulnerability/wordpress-hostel-plugin-1-1-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation guidance, such as updating to a patched version if available or implementing input validation and content security policies.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8575
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables T1190 exploitation, T1059.007 JavaScript execution via script injection, and T1539 stealing web session cookies.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of information inputs to prevent malicious payloads like XSS scripts from being accepted and reflected in web pages.
Mandates filtering of information outputs to neutralize unsanitized input during web page generation, directly mitigating reflected XSS.
Ensures timely remediation of flaws such as the improper input neutralization in the Hostel plugin, eliminating the vulnerability through patching.