Cyber Resilience

CVE-2025-28889

High

Published: 26 March 2025

Published
26 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0040 61.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28889 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-28889 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Custom Product Stickers for WooCommerce WordPress plugin (slug: custom-product-stickers-for-woocommerce) by starblank, impacting all versions from n/a through 1.9.0 inclusive. The vulnerability was published on 2025-03-26.

Attackers can exploit this over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as tricking a user into visiting a maliciously crafted URL. Exploitation changes scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 7.1 (High). This allows injection of malicious scripts into reflected web pages viewed by authenticated or unauthenticated users.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-product-stickers-for-woocommerce/vulnerability/wordpress-custom-product-stickers-for-woocommerce-plugin-1-9-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this Reflected XSS issue in plugin version 1.9.0 and provides details on mitigation.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in starblank Custom Product Stickers for Woocommerce custom-product-stickers-for-woocommerce allows Reflected XSS.This issue affects Custom Product Stickers for Woocommerce: from n/a through <= 1.9.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Reflected XSS enables injection of malicious scripts via a crafted URL that requires user interaction to visit, directly mapping to execution of code through a malicious link.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23542Shared CWE-79
CVE-2025-23866Shared CWE-79
CVE-2025-26548Shared CWE-79
CVE-2025-24602Shared CWE-79
CVE-2025-22765Shared CWE-79
CVE-2024-13885Shared CWE-79
CVE-2025-23645Shared CWE-79
CVE-2025-26583Shared CWE-79
CVE-2024-13918Shared CWE-79
CVE-2025-22575Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses improper neutralization of input by requiring validation of user-supplied data such as malicious URL parameters before use in web page generation, preventing XSS payload injection.

prevent

Mitigates reflected XSS by filtering outputs during web page generation to neutralize script tags and prevent execution of injected malicious code in users' browsers.

prevent

Remediates the specific flaw in the Custom Product Stickers for WooCommerce plugin versions <=1.9.0 by identifying, testing, and applying patches to eliminate the XSS vulnerability.

References