CVE-2025-28895
Published: 11 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-28895 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the Custom top bar WordPress plugin developed by Suman Biswas. The plugin, known as custom-top-bar, is affected in all versions from n/a through 2.1 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable remotely over the network with low attack complexity, no required privileges, but necessitating user interaction, and resulting in a changed scope with low impacts to confidentiality, integrity, and availability. An unauthenticated attacker can leverage this flaw, potentially via CSRF leading to Stored XSS as noted in related advisories, to inject malicious scripts that execute in the context of other users viewing affected pages.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-top-bar/vulnerability/wordpress-custom-top-bar-plugin-2-0-2-csrf-to-stored-xss-vulnerability?_s_id=cve provides further details on the vulnerability, including specifics on exploitation paths. Security practitioners should consult this reference for recommended mitigations, such as applying available patches or implementing input sanitization workarounds.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables remote exploitation of the web application (T1190) and allows injection/execution of arbitrary JavaScript in victim browsers (T1059.007).