CVE-2025-28894
Published: 11 March 2025
Description
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.
Security Summary
CVE-2025-28894 is a Cross-Site Request Forgery (CSRF) vulnerability in the frucomerci List of Posts from each Category plugin for WordPress (list-posts-by-category) that allows Stored XSS. The issue affects the plugin from unknown initial versions through version 2.0 inclusive, as documented under CWE-352. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.
The vulnerability can be exploited by any unauthenticated attacker over the network who tricks an authenticated user—such as a WordPress administrator or editor—into performing an unintended action via a forged request, typically through a malicious webpage or link that submits data to the plugin. Successful exploitation stores a malicious XSS payload on the site, which executes in the browser context of subsequent visitors, including admins, enabling script injection for potential session hijacking, data theft, or site defacement.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/list-posts-by-category/vulnerability/wordpress-list-of-posts-from-each-category-plugin-for-wordpress-plugin-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF-to-stored-XSS vulnerability in the public-facing WordPress plugin directly enables T1190 (exploiting the app over the network). The resulting script injection facilitates T1185 (browser session hijacking) and T1491.002 (external defacement) as explicitly noted in the description.