CVE-2025-28862
Published: 11 March 2025
Summary
CVE-2025-28862 is a medium-severity CSRF (CWE-352) vulnerability in Venugopal Comment Date And Gravatar Remover. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-28862 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "Comment Date and Gravatar Remover" (also known as remove-date-and-gravatar-under-comment by Venugopal). The issue affects all versions of the plugin from its initial release through version 1.0 inclusive. Published on 2025-03-11, it carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with low integrity impact and no effects on confidentiality or availability.
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Any unauthenticated adversary can craft and deliver forged requests to trick an authenticated WordPress user—typically an administrator or editor—into inadvertently performing unauthorized actions on the plugin's settings or functions, potentially leading to unintended modifications.
The Patchstack advisory provides further details on this CSRF issue in the WordPress Comment Date and Gravatar Remover plugin version 1.0: https://patchstack.com/database/Wordpress/Plugin/remove-date-and-gravatar-under-comment/vulnerability/wordpress-comment-date-and-gravatar-remover-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve. Security practitioners should consult this reference for recommended mitigations, such as applying any available updates or implementing CSRF protections.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7832
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Comment Date and Gravatar remover remove-date-and-gravatar-under-comment allows Cross Site Request Forgery.This issue affects Comment Date and Gravatar remover: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF vulnerability in a public-facing WordPress plugin allows forged requests to modify settings when an authenticated user clicks a malicious link, directly mapping to T1190 (exploiting public-facing apps) and T1204.001 (user execution via malicious link).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of flaws, directly addressing the CSRF vulnerability in the WordPress plugin by mandating patching or remediation.
SC-23 enforces mechanisms to protect communications session authenticity, such as anti-CSRF tokens, preventing forged requests that exploit this plugin's CSRF vulnerability.
SI-10 mandates validation of information inputs, which includes checking for CSRF tokens on the plugin's state-changing endpoints to block unauthorized modifications.