CVE-2025-31906 identifies a security vulnerability in the WP Profitshare plugin for WordPress, specifically versions up to 1.4.9. The vulnerability is a Cross-Site Request Forgery (CSRF) issue that allows an attacker to trick authenticated users into executing unwanted actions without their consent. Additionally, the vulnerability enables Stored Cross-Site Scripting (XSS), where malicious scripts injected by an attacker are stored persistently within the application and executed in the context of other users' browsers. This combination is particularly dangerous because CSRF can be used to submit malicious payloads that result in stored XSS, potentially leading to session hijacking, privilege escalation, or data theft. The plugin is used to integrate ProfitShare.ro affiliate marketing services into WordPress sites, often in e-commerce or affiliate marketing contexts. The vulnerability requires the victim to be authenticated and to interact with a crafted malicious webpage or link. No CVSS score has been assigned yet, and no patches or known exploits are currently available. The vulnerability was published on April 1, 2025, by Patchstack. The absence of patches means sites remain exposed until mitigations or updates are applied. The lack of authentication bypass means attackers rely on social engineering to exploit the vulnerability. However, the impact on affected sites can be significant due to the persistent nature of stored XSS and the ability to perform unauthorized actions via CSRF.

The combined CSRF and stored XSS vulnerability in WP Profitshare can have severe consequences for organizations using this plugin. Attackers can perform unauthorized actions on behalf of authenticated users, potentially changing settings, injecting malicious content, or manipulating affiliate marketing data. Stored XSS can lead to session hijacking, credential theft, or distribution of malware to site visitors. This can damage organizational reputation, lead to data breaches, and cause financial losses, especially for e-commerce sites relying on affiliate marketing. The vulnerability undermines the confidentiality, integrity, and availability of affected WordPress sites. Since the plugin is used in affiliate marketing, attackers could manipulate affiliate commissions or redirect traffic fraudulently. The lack of known exploits in the wild currently limits immediate risk, but the public disclosure increases the likelihood of future exploitation. Organizations worldwide that use WP Profitshare are at risk until patches or mitigations are applied.

1. Immediately audit all WordPress sites using WP Profitshare and identify versions up to 1.4.9. 2. If an official patch or update is released, prioritize applying it promptly. 3. In the absence of patches, implement Web Application Firewall (WAF) rules to detect and block CSRF attack patterns and suspicious POST requests targeting the plugin endpoints. 4. Enforce strict Content Security Policy (CSP) headers to mitigate the impact of stored XSS by restricting script execution sources. 5. Educate users and administrators about phishing and social engineering risks to reduce the chance of victim interaction with malicious links. 6. Regularly scan the website for injected malicious scripts or unauthorized changes, especially in areas managed by the plugin. 7. Consider temporarily disabling or replacing the WP Profitshare plugin if critical business functions are not dependent on it until a secure version is available. 8. Monitor security advisories from the vendor and Patchstack for updates or patches. 9. Implement multi-factor authentication (MFA) for WordPress admin accounts to reduce the impact of session hijacking. 10. Review and harden WordPress security configurations, including limiting user privileges and securing admin interfaces.