CVE-2025-31591 identifies a stored cross-site scripting (XSS) vulnerability in the Exit Popup Free plugin developed by promoz73, affecting all versions up to and including 1.0. The vulnerability stems from improper input sanitization during the generation of web pages, allowing attackers to inject malicious scripts that are stored persistently within the application. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim. Stored XSS is particularly dangerous because the payload remains on the server and impacts multiple users over time. The plugin Exit Popup Free is typically used to display exit-intent popups on websites, often in marketing or e-commerce contexts, which means the vulnerability could affect a broad user base. No authentication is required to exploit this vulnerability, and user interaction is limited to visiting a compromised page. Although no public exploits have been reported yet, the vulnerability is publicly disclosed and thus may attract attackers. The lack of a CVSS score requires an assessment based on the nature of the vulnerability, its impact on confidentiality, integrity, and availability, and the ease of exploitation. The vulnerability does not appear to affect availability directly but poses significant risks to confidentiality and integrity. The plugin’s market penetration, especially in countries with high WordPress usage, increases the potential attack surface. Organizations using this plugin should monitor for updates or patches and consider immediate mitigations such as input validation, output encoding, or disabling the plugin until fixed.

The impact of CVE-2025-31591 can be significant for organizations worldwide that use the Exit Popup Free plugin on their websites. Stored XSS vulnerabilities allow attackers to inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of cookies or credentials, defacement of websites, and distribution of malware. This can erode user trust, damage brand reputation, and lead to regulatory compliance issues if user data is compromised. Since the vulnerability does not require authentication and can be triggered simply by visiting a compromised page, the attack surface is broad. Marketing and e-commerce websites that rely on exit popups for customer engagement are particularly at risk, as attackers may exploit this vector to target customers directly. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts. Organizations may face increased incident response costs, potential legal liabilities, and operational disruptions if the vulnerability is exploited. The impact on confidentiality and integrity is high, though availability is not directly affected.

To mitigate CVE-2025-31591, organizations should first check for any official patches or updates from promoz73 for the Exit Popup Free plugin and apply them immediately once available. In the absence of patches, consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. Implement strict input validation and output encoding on all user-supplied data that the plugin processes, especially data that is reflected or stored and rendered in web pages. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit and sanitize stored data to remove any malicious payloads that may have been injected prior to mitigation. Monitor web traffic and logs for unusual activity indicative of XSS exploitation attempts. Educate web developers and administrators about secure coding practices to prevent similar vulnerabilities in custom or third-party plugins. Finally, maintain a robust web application firewall (WAF) configured to detect and block common XSS attack patterns targeting the affected plugin.