CVE-2025-28862
Published: 11 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-28862 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "Comment Date and Gravatar Remover" (also known as remove-date-and-gravatar-under-comment by Venugopal). The issue affects all versions of the plugin from its initial release through version 1.0 inclusive. Published on 2025-03-11, it carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with low integrity impact and no effects on confidentiality or availability.
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Any unauthenticated adversary can craft and deliver forged requests to trick an authenticated WordPress user—typically an administrator or editor—into inadvertently performing unauthorized actions on the plugin's settings or functions, potentially leading to unintended modifications.
The Patchstack advisory provides further details on this CSRF issue in the WordPress Comment Date and Gravatar Remover plugin version 1.0: https://patchstack.com/database/Wordpress/Plugin/remove-date-and-gravatar-under-comment/vulnerability/wordpress-comment-date-and-gravatar-remover-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve. Security practitioners should consult this reference for recommended mitigations, such as applying any available updates or implementing CSRF protections.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF vulnerability in a public-facing WordPress plugin allows forged requests to modify settings when an authenticated user clicks a malicious link, directly mapping to T1190 (exploiting public-facing apps) and T1204.001 (user execution via malicious link).