CVE-2025-28865
Published: 26 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-28865 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the WP Colorful Tag Cloud WordPress plugin by lionelroux, with all versions up to and including 2.0.1 vulnerable.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Remote attackers require no privileges and can exploit it over the network with low attack complexity, but it demands user interaction, such as visiting a maliciously crafted URL. Exploitation allows limited impacts on confidentiality, integrity, and availability within a changed scope, typically permitting script execution in the victim's browser to steal session cookies or perform other client-side actions.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-colorful-tag-cloud/vulnerability/wordpress-wp-colorful-tag-cloud-plugin-2-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on the vulnerability, including mitigation recommendations for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of the web application (T1190) via malicious crafted URLs requiring user interaction (T1204.001), directly facilitating browser script execution to steal session cookies (T1185).