CVE-2025-28934
Published: 26 March 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-28934 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the chaozh Simple Post Series WordPress plugin (simple-post-series). This issue affects all versions of the plugin from n/a through 2.4.4 inclusive. The vulnerability was published on 2025-03-26.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, but user interaction needed, with a changed scope and low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted input, such as via a phishing link, leading to arbitrary JavaScript execution in the victim's browser context.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simple-post-series/vulnerability/wordpress-simple-post-series-plugin-2-4-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this Reflected XSS vulnerability in Simple Post Series version 2.4.4, recommending mitigation through updating to a version beyond 2.4.4 where the issue is addressed.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability allows arbitrary JavaScript execution in the victim's browser when a maliciously crafted link is interacted with, directly enabling exploitation for client execution (T1203) and facilitating delivery via spearphishing links (T1566.002).