CVE-2025-28868
Published: 11 March 2025
Summary
CVE-2025-28868 is a medium-severity CSRF (CWE-352) vulnerability in Condenast Ziplist Recipe. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-28868 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the ZipList Recipe plugin (ziplist-recipe-plugin) for WordPress. The issue affects versions from n/a through 3.1 inclusive and was published on 2025-03-11.
The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). An unauthenticated attacker can exploit it over the network with low attack complexity, provided the victim performs required user interaction such as clicking a malicious link. Exploitation enables low-impact integrity violations with no effect on confidentiality or availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ziplist-recipe-plugin/vulnerability/wordpress-ziplist-recipe-plugin-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7837
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in ZipList ZipList Recipe ziplist-recipe-plugin allows Cross Site Request Forgery.This issue affects ZipList Recipe: from n/a through <= 3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WordPress plugin directly maps to exploiting a web application (T1190); exploitation requires victim to click malicious link (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the CSRF vulnerability in the ZipList Recipe plugin by identifying, prioritizing, and applying patches or updates to affected versions up to 3.1.
Protects against CSRF attacks by enforcing session authenticity mechanisms such as unique session identifiers and anti-CSRF tokens to validate legitimate requests.
Mitigates CSRF by validating recipe-related inputs for authenticity and integrity, preventing forged requests from succeeding even if session checks are bypassed.