CVE-2025-28928
Published: 26 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-28928 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin "Are you robot google recaptcha for wordpress" (are-you-robot-recaptcha) developed by sureshdsk. The issue impacts all versions from n/a through 2.2, allowing malicious input to be reflected in web page generation without proper neutralization.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can craft malicious payloads delivered via links or inputs that trick authenticated users into triggering the XSS, achieving low-level impacts on confidentiality, integrity, and availability with a changed scope, such as session hijacking or script execution in the victim's browser context.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/are-you-robot-recaptcha/vulnerability/wordpress-are-you-robot-google-recaptcha-for-wordpress-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS in plugin version 2.2 and provides vulnerability details for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly maps to T1190 (exploiting public-facing applications) and enables T1185 (browser session hijacking) via malicious script execution in the victim's browser context as described.