Cyber Resilience

CVE-2025-28862

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0013 33.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28862 is a medium-severity CSRF (CWE-352) vulnerability in Venugopal Comment Date And Gravatar Remover. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-28862 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "Comment Date and Gravatar Remover" (also known as remove-date-and-gravatar-under-comment by Venugopal). The issue affects all versions of the plugin from its initial release through version 1.0 inclusive. Published on 2025-03-11, it carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with low integrity impact and no effects on confidentiality or availability.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Any unauthenticated adversary can craft and deliver forged requests to trick an authenticated WordPress user—typically an administrator or editor—into inadvertently performing unauthorized actions on the plugin's settings or functions, potentially leading to unintended modifications.

The Patchstack advisory provides further details on this CSRF issue in the WordPress Comment Date and Gravatar Remover plugin version 1.0: https://patchstack.com/database/Wordpress/Plugin/remove-date-and-gravatar-under-comment/vulnerability/wordpress-comment-date-and-gravatar-remover-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve. Security practitioners should consult this reference for recommended mitigations, such as applying any available updates or implementing CSRF protections.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Comment Date and Gravatar remover remove-date-and-gravatar-under-comment allows Cross Site Request Forgery.This issue affects Comment Date and Gravatar remover: from n/a through <= 1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

The CSRF vulnerability in a public-facing WordPress plugin allows forged requests to modify settings when an authenticated user clicks a malicious link, directly mapping to T1190 (exploiting public-facing apps) and T1204.001 (user execution via malicious link).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2024-26153Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2026-23622Shared CWE-352

Affected Assets

venugopal
comment date and gravatar remover
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws, directly addressing the CSRF vulnerability in the WordPress plugin by mandating patching or remediation.

prevent

SC-23 enforces mechanisms to protect communications session authenticity, such as anti-CSRF tokens, preventing forged requests that exploit this plugin's CSRF vulnerability.

prevent

SI-10 mandates validation of information inputs, which includes checking for CSRF tokens on the plugin's state-changing endpoints to block unauthorized modifications.

References