CVE-2025-28867
Published: 11 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-28867 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the stesvis Frontpage Category Filter WordPress plugin (frontpage-category-filter). It affects all versions from n/a through 1.0.2 inclusive. Published on 2025-03-11, the issue has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), reflecting medium severity with network accessibility, low attack complexity, no privileges required, and required user interaction, resulting in low integrity impact.
A remote attacker without privileges can exploit this CSRF vulnerability by tricking an authenticated user into submitting a malicious request via a crafted webpage or link, performing unauthorized actions on the victim's behalf within the affected WordPress site. Exploitation requires user interaction, such as clicking a link, and is limited to low-impact integrity violations, with no effects on confidentiality or availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/frontpage-category-filter/vulnerability/wordpress-frontpage-category-filter-plugin-1-0-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve details the CSRF issue in Frontpage Category Filter plugin version 1.0.2 and serves as the primary reference for mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF vulnerability requires tricking an authenticated user into clicking a crafted link or visiting a malicious webpage to trigger unauthorized actions, directly mapping to T1204.001 Malicious Link under User Execution.