CVE-2025-28892
Published: 11 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-28892 is a Cross-Site Request Forgery (CSRF) vulnerability in the a2rocklobster FTP Sync WordPress plugin (ftp-sync) that allows Stored XSS. This issue affects FTP Sync versions from n/a through 1.1.6 and is associated with CWE-352. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, though it requires user interaction such as visiting a malicious site. Exploitation enables CSRF to inject and store XSS payloads, potentially leading to session hijacking, data theft, or further site compromise within the changed security scope.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/ftp-sync/vulnerability/wordpress-ftp-sync-plugin-1-1-6-csrf-to-stored-xss-vulnerability?_s_id=cve, provide details on the vulnerability in WordPress FTP Sync plugin version 1.1.6. Security practitioners should consult these references for patch availability and mitigation guidance, such as updating to a fixed version if available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a CSRF to stored XSS in a public-facing WordPress plugin, directly enabling remote exploitation of public-facing applications by unauthenticated attackers.