The vulnerability CVE-2025-31615 affects the Simple Contact Forms plugin by owenr88, where improper neutralization of input during web page generation allows stored cross-site scripting (XSS). This means that an attacker can inject malicious scripts that are stored by the application and executed when other users view the affected content. The issue impacts all versions up to and including 1.6.4. The CVSS v3.1 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of other users, potentially leading to theft of sensitive information, session hijacking, or disruption of service. The CVSS vector indicates partial impact on confidentiality, integrity, and availability. There are no known exploits in the wild reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor vendor communications for updates. Until a fix is available, consider implementing web application firewall (WAF) rules to detect and block malicious input patterns related to XSS in the affected plugin.