CVE-2025-28868
Published: 11 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-28868 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the ZipList Recipe plugin (ziplist-recipe-plugin) for WordPress. The issue affects versions from n/a through 3.1 inclusive and was published on 2025-03-11.
The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). An unauthenticated attacker can exploit it over the network with low attack complexity, provided the victim performs required user interaction such as clicking a malicious link. Exploitation enables low-impact integrity violations with no effect on confidentiality or availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ziplist-recipe-plugin/vulnerability/wordpress-ziplist-recipe-plugin-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF in public-facing WordPress plugin directly maps to exploiting a web application (T1190); exploitation requires victim to click malicious link (T1204.001).