CVE-2025-28889
Published: 26 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-28889 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Custom Product Stickers for WooCommerce WordPress plugin (slug: custom-product-stickers-for-woocommerce) by starblank, impacting all versions from n/a through 1.9.0 inclusive. The vulnerability was published on 2025-03-26.
Attackers can exploit this over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as tricking a user into visiting a maliciously crafted URL. Exploitation changes scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 7.1 (High). This allows injection of malicious scripts into reflected web pages viewed by authenticated or unauthenticated users.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-product-stickers-for-woocommerce/vulnerability/wordpress-custom-product-stickers-for-woocommerce-plugin-1-9-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this Reflected XSS issue in plugin version 1.9.0 and provides details on mitigation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables injection of malicious scripts via a crafted URL that requires user interaction to visit, directly mapping to execution of code through a malicious link.