CVE-2025-28865
Published: 26 March 2025
Summary
CVE-2025-28865 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-28865 is a reflected cross-site scripting vulnerability (CWE-79) in the WP Colorful Tag Cloud WordPress plugin, affecting versions through 2.0.1. The flaw stems from improper neutralization of input during web page generation and carries a CVSS 3.1 score of 7.1.
An unauthenticated remote attacker can exploit the issue by crafting a malicious link that, when clicked by a victim, executes arbitrary script in the context of the affected site. Successful exploitation allows the attacker to perform actions such as stealing cookies or session tokens, redirecting users, or altering page content with limited impact to confidentiality, integrity, and availability.
The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.0111, indicating emerging exploitation interest after public disclosure. The single referenced advisory from Patchstack identifies the reflected XSS vector but provides no further mitigation details in the available record.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8157
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lionelroux WP Colorful Tag Cloud wp-colorful-tag-cloud allows Reflected XSS.This issue affects WP Colorful Tag Cloud: from n/a through <= 2.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of the web application (T1190) via malicious crafted URLs requiring user interaction (T1204.001), directly facilitating browser script execution to steal session cookies (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates reflected XSS by requiring filtering of user inputs prior to inclusion in dynamically generated web pages.
Prevents injection of malicious scripts by validating and sanitizing untrusted inputs at system entry points in the WordPress plugin.
Addresses the specific flaw in WP Colorful Tag Cloud plugin versions <=2.0.1 by requiring timely identification, reporting, and patching of the XSS vulnerability.