CVE-2025-31088 describes a stored cross-site scripting vulnerability in the Cozmoslabs Paid Member Subscriptions WordPress plugin versions up to 2.14.3. The issue stems from improper input neutralization during web page generation, which allows attackers with some privileges to inject malicious scripts that persist and execute in the context of other users' browsers. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting network attack vector, low attack complexity, required privileges, user interaction, and partial impact on confidentiality, integrity, and availability. No patch or vendor advisory is provided in the data, and no known exploitation has been reported.

Successful exploitation of this vulnerability can lead to stored XSS attacks, potentially allowing attackers to execute arbitrary scripts in the context of affected users. This can result in limited confidentiality, integrity, and availability impacts such as session hijacking, defacement, or other malicious actions within the scope of the affected application. However, the attack requires some privileges and user interaction, limiting the ease of exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting privileges to trusted users and monitoring for suspicious activity related to the Paid Member Subscriptions plugin. Avoid exposing administrative or privileged interfaces to untrusted users. Follow vendor updates closely for an official patch or mitigation instructions.