CVE-2025-28901

CVE-2025-28901 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "Members page only for logged in users" (slug: members-page-only-for-logged-in-users). This flaw allows Stored XSS and affects all versions of the plugin up to and including 1.4.2. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating a high-severity issue exploitable over the network with low complexity, no required privileges, and user interaction.

An unauthenticated attacker (PR:N) can exploit this CSRF vulnerability by tricking a logged-in user—likely an administrator or authorized user with access to the Members page—into visiting a malicious webpage. This action would forge a request to the vulnerable plugin, enabling the storage of a malicious XSS payload on the Members page. Successful exploitation leads to Stored XSS, potentially allowing the attacker to steal sensitive data (C:L), perform actions on behalf of the victim (I:L), or cause limited denial of service (A:L), with the changed scope (S:C) amplifying impact across contexts.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/members-page-only-for-logged-in-users/vulnerability/wordpress-members-page-only-for-logged-in-users-plugin-1-4-2-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, including recommended mitigations such as updating to a patched version of the plugin beyond 1.4.2. Security practitioners should verify the latest plugin release and apply updates promptly, while also implementing general CSRF protections like token validation where possible.