CVE-2025-28891
Published: 11 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-28891 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the jazzigor price-calc WordPress plugin that allows Stored XSS. The vulnerability affects price-calc versions from n/a through 0.6.3. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope with low impacts across confidentiality, integrity, and availability.
The vulnerability can be exploited by unauthenticated attackers over the network who trick authenticated users, such as administrators, into performing unintended actions via a forged request. This leads to the storage of malicious XSS payloads, which can then execute in the context of other users viewing affected pages, potentially enabling session hijacking, data theft, or further site compromise.
The Patchstack advisory provides details on this CSRF-to-Stored XSS issue in the WordPress price-calc plugin version 0.6.3; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/price-calc/vulnerability/wordpress-price-calc-plugin-0-6-3-csrf-to-stored-xss-vulnerability?_s_id=cve for mitigation guidance and patch information.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is in a public-facing WordPress plugin allowing network exploitation of CSRF to inject Stored XSS, directly mapping to T1190. The resulting XSS payload execution in user browsers facilitates stealing web session cookies (T1539) for the described session hijacking and data theft.