CVE-2025-28877
Published: 26 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-28877 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-Site Scripting (XSS) as classified under CWE-79. It affects the Key4ce osTicket Bridge WordPress plugin (key4ce-osticket-bridge), developed by m.tiggelaar, in all versions from n/a through 1.4.0. The issue was published on 2025-03-26 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Successful exploitation leverages the changed scope (S:C) to achieve low impacts on confidentiality, integrity, and availability, potentially allowing theft of session cookies, user data, or execution of scripts in the victim's browser context.
The primary advisory from Patchstack details the Reflected XSS in the Key4ce osTicket Bridge WordPress plugin up to version 1.4.0 and is available at https://patchstack.com/database/Wordpress/Plugin/key4ce-osticket-bridge/vulnerability/wordpress-key4ce-osticket-bridge-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should review it for recommended patches, workarounds, or updates beyond version 1.4.0.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation via malicious links (T1204.001) delivering JavaScript payloads (T1059.007) for session cookie theft (T1539) after exploiting the web app vuln (T1190).