CVE-2025-31733 identifies a stored cross-site scripting vulnerability in the Boot Div WP Sitemap WordPress plugin, affecting all versions up to and including 1.0.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious JavaScript code that is stored persistently within the plugin's data structures. When other users or administrators view the affected pages, the malicious script executes in their browsers under the context of the vulnerable site. This can lead to a range of attacks including session hijacking, credential theft, unauthorized actions on behalf of users, and redirection to phishing or malware sites. The vulnerability does not require authentication, increasing its risk profile, and no user interaction beyond visiting a compromised page is necessary for exploitation. Although no public exploits have been reported yet, the widespread use of WordPress and the popularity of sitemap plugins make this a significant threat. The lack of a CVSS score indicates the need for a manual severity assessment. The vulnerability is currently unpatched, and no official fixes or mitigations have been published by the vendor. The issue was reserved and published on April 1, 2025, by Patchstack, a known vulnerability aggregator for WordPress plugins.

The impact of this stored XSS vulnerability is substantial for organizations using the Boot Div WP Sitemap plugin. Attackers can leverage this flaw to execute arbitrary scripts in the context of the affected website, potentially compromising the confidentiality and integrity of user sessions and data. This can lead to theft of authentication cookies, enabling account takeover, unauthorized administrative actions, and the spread of malware or phishing campaigns through the compromised site. The availability of the site could also be affected if attackers deface pages or inject disruptive scripts. Since WordPress powers a significant portion of the web, and sitemap plugins are commonly used for SEO and site indexing, the scope of affected systems is broad. Organizations with high-traffic websites or those handling sensitive user data are at greater risk. The absence of authentication requirements lowers the barrier for exploitation, increasing the likelihood of attacks once exploits become available. The threat also undermines user trust and can result in reputational damage and regulatory consequences if user data is compromised.

To mitigate CVE-2025-31733, organizations should immediately audit their WordPress installations for the presence of the Boot Div WP Sitemap plugin and its version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack surface. Implement strict input validation and output encoding on all user-supplied data related to sitemap generation to prevent script injection. Employ Web Application Firewalls (WAFs) with rules targeting common XSS payloads to block exploitation attempts. Monitor website logs and user activity for unusual behavior indicative of XSS attacks. Educate site administrators and users about the risks of clicking on suspicious links or content. Once a patch is available from the vendor, apply it promptly. Additionally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly back up website data to enable recovery in case of compromise. Finally, keep all WordPress plugins and core software updated to minimize exposure to known vulnerabilities.