CVE-2025-28880

High

Published: 26 March 2025

Published

26 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0040 61.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28880 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 38.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Enforces filtering of web page outputs to neutralize untrusted input and prevent reflected XSS execution in the victim's browser.

SI-10 Information Input Validation good match

prevent

Validates user inputs at web entry points to reject or sanitize malicious scripts before reflection in page generation.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the specific flaw in Blue Captcha plugin versions through 1.7.4 via patching.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

The reflected XSS vulnerability directly enables arbitrary JavaScript execution in the victim's browser context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jotis Blue Captcha blue-captcha allows Reflected XSS.This issue affects Blue Captcha: from n/a through <= 1.7.4.

Deeper analysisAI

CVE-2025-28880 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the jotis Blue Captcha (blue-captcha) WordPress plugin. This issue affects all versions from n/a through 1.7.4 inclusive. The vulnerability was published on 2025-03-26 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it necessitates user interaction such as clicking a malicious link. Upon successful exploitation, arbitrary JavaScript executes in the context of the victim's browser, enabling low-level impacts on confidentiality, integrity, and availability, with a changed scope that may affect the security context beyond the targeted user.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/blue-captcha/vulnerability/wordpress-blue-captcha-plugin-1-7-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS vulnerability specific to the WordPress Blue Captcha plugin version 1.7.4. Security practitioners should review this reference for recommended mitigations and any available patches or updates.

Details

CWE(s): CWE-79

CVEs Like This One

CVE-2026-1090Shared CWE-79

CVE-2025-22326Shared CWE-79

CVE-2026-34557Shared CWE-79

CVE-2026-3880Shared CWE-79

CVE-2026-23997Shared CWE-79

CVE-2025-69368Shared CWE-79

CVE-2025-0829Shared CWE-79

CVE-2025-23516Shared CWE-79

CVE-2026-2101Shared CWE-79

CVE-2024-26006Shared CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/blue-captcha/vulnerability/wordpress-blue-captcha-plugin-1-7-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com