CVE-2025-28861
Published: 11 March 2025
Summary
CVE-2025-28861 is a high-severity CSRF (CWE-352) vulnerability in Bhzad Wp Jquery Persian Datepicker. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-28861 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP jQuery Persian Datepicker plugin (wpjqp-datepicker) for WordPress, developed by bhzad, that enables stored Cross-Site Scripting (XSS). The issue affects all versions of the plugin up to and including 0.1.0. It has been assigned a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low complexity, lack of required privileges, and scope change.
Attackers can exploit this vulnerability without authentication by tricking authenticated users into performing unintended actions via a malicious website or resource, such as a crafted link or form submission. User interaction is required, but successful exploitation leads to stored XSS, allowing attackers to inject malicious scripts that persist on the site and execute in the context of other users' browsers, potentially resulting in low-level impacts on confidentiality, integrity, and availability with elevated scope.
The Patchstack advisory provides details on the vulnerability, including mitigation recommendations; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/wpjqp-datepicker/vulnerability/wordpress-wp-jquery-persian-datepicker-plugin-0-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve for patching instructions and further analysis.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7831
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker wpjqp-datepicker allows Stored XSS.This issue affects WP jQuery Persian Datepicker: from n/a through <= 0.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates arbitrary JavaScript execution in victims' browsers via the injected persistent script (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces session authenticity mechanisms like CSRF tokens to prevent unauthorized forged requests that lead to stored XSS in the WordPress plugin.
Validates and sanitizes plugin inputs to block malicious payloads from being stored and enabling XSS execution.
Filters information outputs to neutralize any stored XSS scripts before they execute in users' browsers.