CVE-2025-28925
Published: 11 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-28925 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin WATI Chat and Notification (wati-chat-and-notification) by Hieu Nguyen. The flaw enables Stored Cross-Site Scripting (XSS) and affects all versions from n/a through 1.1.2.
Attackers can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), resulting in a CVSS v3.1 base score of 7.1. With changed scope (S:C), exploitation allows low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), typically by tricking authenticated users—such as administrators—into submitting malicious requests that store XSS payloads for execution in other users' browsers.
The Patchstack advisory provides further details on this CSRF-to-Stored XSS issue in WATI Chat and Notification version 1.1.2, available at https://patchstack.com/database/Wordpress/Plugin/wati-chat-and-notification/vulnerability/wordpress-wati-chat-and-notification-plugin-1-1-2-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF-to-stored-XSS vulnerability in the public-facing WordPress plugin directly enables exploitation of the application over the network (T1190) and involves tricking authenticated users via malicious links to trigger the forged requests (T1204.001).