replyMail WordPress Plugin CVE-2025-31029
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bingu replyMail replymail allows Stored XSS.This issue affects replyMail: from n/a through <= 1.2.0.
AnalysisAI
Stored cross-site scripting in the replyMail WordPress plugin (versions ≤1.2.0) enables remote attackers to inject malicious scripts that execute in victims' browsers when viewing compromised pages. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect resources beyond the vulnerable component's security scope, potentially compromising other WordPress users or administrators. EPSS score of 0.02% suggests low probability of mass exploitation, though the no-authentication requirement (PR:N) lowers the barrier for opportunistic attacks. Patchstack has documented this vulnerability but patch availability remains unconfirmed.
Technical ContextAI
This is a stored (persistent) XSS vulnerability (CWE-79) in the replyMail WordPress plugin developed by bingu. Stored XSS occurs when user-supplied data is saved to the application's database or persistent storage without proper sanitization, then later displayed to other users without adequate output encoding. In WordPress plugins, this commonly affects form inputs, comment fields, settings pages, or email reply handling mechanisms. Given the plugin name 'replyMail', the vulnerability likely exists in the processing and display of email replies or related user input. The CVSS vector indicates network-based exploitation (AV:N) with low attack complexity (AC:L), requiring no authentication (PR:N) but user interaction (UI:R), suggesting victims must view a page containing the malicious payload. The changed scope (S:C) is significant for WordPress environments, as it indicates the injected script executes with different privileges than the vulnerable plugin component itself, potentially enabling session hijacking, privilege escalation, or attacks against other WordPress users.
Affected ProductsAI
WordPress replyMail plugin by bingu, all versions from earliest release through version 1.2.0 inclusive. The vulnerability affects installations where the plugin is active and accepts user-controlled input that gets stored and displayed. No CPE string provided in available data. Vendor advisory or patch information not confirmed in Patchstack reference, which primarily documents a related CSRF vulnerability rather than this specific stored XSS issue.
RemediationAI
No vendor-released patch version confirmed from available data sources. The Patchstack reference link addresses a CSRF vulnerability rather than providing explicit remediation for CVE-2025-31029. Recommended immediate actions: First, audit whether replyMail plugin versions ≤1.2.0 are deployed in your WordPress environments. If installed, check the official WordPress plugin repository at wordpress.org/plugins/replymail or the bingu vendor site for updates beyond version 1.2.0. If no patch exists, implement compensating controls: disable the replyMail plugin until a fix is released, restrict plugin usage to trusted administrators only via WordPress role restrictions, implement Content Security Policy headers to limit inline script execution scope, deploy web application firewall rules to filter common XSS patterns in inputs handled by the plugin. Monitor WordPress security mailing lists and Patchstack database for patch release notifications. Note that disabling the plugin may break email reply functionality depending on site workflows.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today