CVE-2025-28893
Published: 26 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-28893 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified as CWE-94, in the Govind Visual Text Editor WordPress plugin (visual-text-editor). It enables Remote Code Inclusion and affects all versions from n/a through 1.2.1. Published on 2025-03-26, the vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), marking it as critical severity.
A remote attacker with low privileges, such as an authenticated WordPress user, can exploit the vulnerability over the network with low attack complexity and no user interaction. Successful exploitation allows remote code execution, resulting in high-impact compromise of confidentiality, integrity, and availability, with a change in scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/visual-text-editor/vulnerability/wordpress-visual-text-editor-plugin-1-2-1-remote-code-execution-rce-vulnerability?_s_id=cve documents this as a remote code execution issue in Visual Text Editor version 1.2.1 and provides details on mitigation for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a code injection vulnerability (CWE-94) in a public-facing WordPress plugin enabling remote code execution (RCE) with network access and low privileges, directly mapping to exploitation of public-facing applications.