CVE-2025-28889
Published: 26 March 2025
Summary
CVE-2025-28889 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-28889 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Custom Product Stickers for WooCommerce WordPress plugin (slug: custom-product-stickers-for-woocommerce) by starblank, impacting all versions from n/a through 1.9.0 inclusive. The vulnerability was published on 2025-03-26.
Attackers can exploit this over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as tricking a user into visiting a maliciously crafted URL. Exploitation changes scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 7.1 (High). This allows injection of malicious scripts into reflected web pages viewed by authenticated or unauthenticated users.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-product-stickers-for-woocommerce/vulnerability/wordpress-custom-product-stickers-for-woocommerce-plugin-1-9-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this Reflected XSS issue in plugin version 1.9.0 and provides details on mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8150
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in starblank Custom Product Stickers for Woocommerce custom-product-stickers-for-woocommerce allows Reflected XSS.This issue affects Custom Product Stickers for Woocommerce: from n/a through <= 1.9.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables injection of malicious scripts via a crafted URL that requires user interaction to visit, directly mapping to execution of code through a malicious link.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper neutralization of input by requiring validation of user-supplied data such as malicious URL parameters before use in web page generation, preventing XSS payload injection.
Mitigates reflected XSS by filtering outputs during web page generation to neutralize script tags and prevent execution of injected malicious code in users' browsers.
Remediates the specific flaw in the Custom Product Stickers for WooCommerce plugin versions <=1.9.0 by identifying, testing, and applying patches to eliminate the XSS vulnerability.