CVE-2025-28897
Published: 11 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-28897 is a Cross-Site Request Forgery (CSRF) vulnerability in the Steveorevo Domain Theme (domain-theme) WordPress plugin that allows Stored Cross-Site Scripting (XSS). The issue affects the plugin from unknown initial versions through 1.3 inclusive.
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity, requiring user interaction such as tricking a victim—typically an authenticated user like an administrator—into visiting a malicious site or clicking a crafted link. This submits a CSRF request to the plugin, enabling the injection of a stored XSS payload. Exploitation yields low impacts on confidentiality, integrity, and availability with a changed scope, per its CVSS score of 7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), and is associated with CWE-352.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/domain-theme/vulnerability/wordpress-domain-theme-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, including recommended mitigations for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin enables exploitation via CSRF to inject stored XSS payload, directly mapping to public-facing app exploitation and client-side JavaScript execution.