CVE-2025-31090 identifies a stored cross-site scripting (XSS) vulnerability in the alordiel Dropdown Multisite selector plugin, affecting all versions prior to 0.9.4. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is permanently stored on the affected site. When other users visit the compromised pages, the malicious script executes in their browsers within the context of the vulnerable site. This can lead to a variety of attacks including session hijacking, credential theft, unauthorized actions on behalf of users, and distribution of malware. The vulnerability does not require authentication, increasing its risk profile, and no user interaction beyond visiting the infected page is necessary for exploitation. Although no public exploits have been reported yet, the nature of stored XSS makes it a critical threat to multisite WordPress environments using this plugin. The absence of a CVSS score necessitates an expert severity assessment, which rates this vulnerability as high due to its potential impact on confidentiality and integrity, ease of exploitation, and broad scope of affected systems. The plugin is used primarily in WordPress multisite setups, which are common in enterprise and large organizational contexts. The vulnerability was published on March 28, 2025, with no patches currently available, highlighting the urgency for mitigation.

The impact of CVE-2025-31090 is significant for organizations using the alordiel Dropdown Multisite selector plugin, especially in multisite WordPress environments. Successful exploitation can lead to persistent injection of malicious scripts that compromise user sessions, steal sensitive information such as cookies and credentials, and enable attackers to perform unauthorized actions on behalf of legitimate users. This undermines the confidentiality and integrity of the affected websites and can also damage availability if attackers use the vulnerability to deface sites or distribute malware. The stored nature of the XSS means the malicious payload remains until removed, potentially affecting all visitors to the compromised pages. Organizations with large user bases or sensitive data are at heightened risk of reputational damage, regulatory penalties, and operational disruption. The ease of exploitation without authentication or user interaction further elevates the threat level. Given the widespread use of WordPress and multisite configurations globally, the vulnerability could affect a broad range of sectors including government, education, e-commerce, and media.

To mitigate CVE-2025-31090, organizations should take immediate steps beyond generic advice: 1) Temporarily disable the alordiel Dropdown Multisite selector plugin until an official patch is released. 2) Implement strict input validation and output encoding on all user-supplied data, especially in areas handled by the plugin. 3) Deploy a robust Content Security Policy (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 4) Monitor web server logs and application behavior for unusual or suspicious activity indicative of exploitation attempts. 5) Conduct a thorough audit of multisite installations to identify and sanitize any stored malicious scripts already present. 6) Educate site administrators and developers about secure coding practices related to input handling. 7) Stay updated with vendor advisories and apply patches promptly once available. 8) Consider using web application firewalls (WAFs) with custom rules to detect and block XSS attack patterns targeting this plugin. These targeted actions will help reduce the risk and exposure until a permanent fix is deployed.