CVE-2025-28890
Published: 26 March 2025
Summary
CVE-2025-28890 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-28890 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Lightview Plus (lightview-plus) WordPress plugin by puzich, impacting all versions from n/a through 3.1.3 inclusive. The issue was published on 2025-03-26 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers with network access can exploit this vulnerability by crafting malicious inputs that are reflected back in dynamically generated web pages. Exploitation requires user interaction, such as clicking a malicious link, which triggers XSS payload execution in the victim's browser context. Successful attacks can lead to low impacts on confidentiality, integrity, and availability, with a changed scope that may affect additional resources or users.
Advisories, including the Patchstack reference at https://patchstack.com/database/Wordpress/Plugin/lightview-plus/vulnerability/wordpress-lightview-plus-plugin-3-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, detail the vulnerability in the WordPress Lightview Plus plugin up to version 3.1.3 and provide guidance on mitigation, such as applying available patches or updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8149
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in puzich Lightview Plus lightview-plus allows Reflected XSS.This issue affects Lightview Plus: from n/a through <= 3.1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploit public-facing app); requires malicious link for user interaction (T1204.001); payload executes JavaScript in browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information Output Filtering directly prevents reflected XSS by ensuring malicious inputs are filtered before inclusion in dynamically generated web pages.
Information Input Validation neutralizes malicious payloads in user inputs, stopping XSS exploitation in the Lightview Plus plugin.
Flaw Remediation addresses the specific XSS vulnerability by applying patches or updates to the affected Lightview Plus plugin versions.