CVE-2025-31804 identifies a stored Cross-site Scripting (XSS) vulnerability in the DraftPress Team's Follow Us Badges WordPress plugin, specifically affecting versions up to and including 3.1.11. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored persistently within the plugin's data. When a user visits a page containing the malicious payload, the injected script executes in their browser context. This can lead to a variety of attacks, including session hijacking, credential theft, unauthorized actions on behalf of the user, and distribution of malware. Stored XSS is particularly dangerous because the malicious code is saved on the server and served to all users accessing the affected page or component. The plugin is used to display social media follow badges on WordPress sites, which may be widely deployed across various sectors. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and thus poses a risk. The absence of an official patch at the time of publication necessitates immediate attention to input validation and output encoding. The vulnerability does not require authentication to exploit, increasing its risk profile. The lack of a CVSS score requires an assessment based on impact and exploitability factors, leading to a high severity rating.

The stored XSS vulnerability in the Follow Us Badges plugin can have severe consequences for affected organizations. Attackers can inject malicious scripts that execute in the browsers of site visitors, potentially leading to theft of session cookies, user credentials, or other sensitive information. This can facilitate account takeover or unauthorized access to administrative functions. Additionally, attackers may deface websites, damage brand reputation, or use the site as a vector to distribute malware to visitors. The vulnerability affects the confidentiality and integrity of user data and can also impact availability if combined with other attacks. Since the plugin is used on WordPress sites, which power a significant portion of the web, the scope of affected systems is broad. The ease of exploitation without authentication and the persistent nature of stored XSS increase the risk of widespread impact, especially on high-traffic or security-sensitive websites.

Organizations should immediately audit their WordPress installations to identify the presence of the Follow Us Badges plugin and its version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. Implement strict input validation and output encoding on all user-supplied data related to the plugin's functionality to prevent malicious script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly monitor website logs and user reports for signs of exploitation or unusual activity. Educate site administrators and developers on secure coding practices, particularly regarding input handling in plugins. Once a patch is available, prioritize prompt application to remediate the vulnerability. Additionally, consider using web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this plugin.