CVE-2025-31464 identifies a stored cross-site scripting (XSS) vulnerability in the Nazmur Rahman Text Selection Color plugin, which is used to customize text selection colors on web pages. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious JavaScript code that is stored persistently within the application. When other users access the affected pages, the malicious script executes in their browsers under the context of the vulnerable site. This can lead to a range of attacks including session hijacking, cookie theft, unauthorized actions on behalf of users, and potential redirection to malicious sites. The vulnerability affects all versions up to and including 1.6, with no patch currently available as per the provided data. Exploitation requires no authentication and minimal user interaction beyond visiting a compromised page, increasing the risk of widespread impact. Although no known exploits are reported in the wild, the nature of stored XSS makes it a critical concern for websites using this plugin, especially those with high traffic or sensitive user data. The lack of a CVSS score necessitates a severity assessment based on the vulnerability's characteristics, which indicate a high risk due to the potential impact on confidentiality and integrity, ease of exploitation, and broad scope of affected systems.

The stored XSS vulnerability in the Text Selection Color plugin can have severe consequences for organizations worldwide. Attackers can leverage this flaw to execute arbitrary scripts in the browsers of site visitors, potentially stealing session cookies, credentials, or other sensitive information. This can lead to account takeover, unauthorized transactions, or data breaches. Additionally, attackers might deface websites or redirect users to malicious domains, damaging organizational reputation and trust. For e-commerce, financial, healthcare, or government websites using this plugin, the impact could extend to regulatory non-compliance and legal liabilities. The vulnerability's persistence means that once exploited, malicious scripts remain active until removed, increasing the window of exposure. The ease of exploitation without authentication or complex prerequisites further amplifies the risk, making it a critical threat for any organization using the affected plugin.

Organizations using the Nazmur Rahman Text Selection Color plugin should immediately audit their installations to identify affected versions (up to 1.6). Since no patch links are currently available, administrators should consider the following mitigations: 1) Temporarily disable or remove the plugin until a secure update is released. 2) Implement web application firewall (WAF) rules to detect and block typical XSS payloads targeting this plugin. 3) Conduct thorough input validation and output encoding on any user-generated content related to the plugin if custom modifications exist. 4) Monitor web server and application logs for suspicious activity indicative of XSS exploitation attempts. 5) Educate site administrators and users about the risks of clicking unknown links or submitting untrusted content. 6) Once a patch is released, apply it promptly and verify the fix through security testing. 7) Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. These steps will help reduce exposure until an official patch is available and deployed.