Cyber Resilience

CVE-2025-28893

CriticalRCE

Published: 26 March 2025

Published
26 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0013 31.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28893 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-28893 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified as CWE-94, in the Govind Visual Text Editor WordPress plugin (visual-text-editor). It enables Remote Code Inclusion and affects all versions from n/a through 1.2.1. Published on 2025-03-26, the vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), marking it as critical severity.

A remote attacker with low privileges, such as an authenticated WordPress user, can exploit the vulnerability over the network with low attack complexity and no user interaction. Successful exploitation allows remote code execution, resulting in high-impact compromise of confidentiality, integrity, and availability, with a change in scope.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/visual-text-editor/vulnerability/wordpress-visual-text-editor-plugin-1-2-1-remote-code-execution-rce-vulnerability?_s_id=cve documents this as a remote code execution issue in Visual Text Editor version 1.2.1 and provides details on mitigation for affected WordPress installations.

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability in Govind Visual Text Editor visual-text-editor allows Remote Code Inclusion.This issue affects Visual Text Editor: from n/a through <= 1.2.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a code injection vulnerability (CWE-94) in a public-facing WordPress plugin enabling remote code execution (RCE) with network access and low privileges, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires identification, prioritization, and correction of the specific code injection flaw in visual-text-editor versions <=1.2.1 through timely patching.

prevent

SI-10 directly prevents code injection by enforcing validation of user inputs to the vulnerable text editor functionality.

preventdetect

RA-5 mandates vulnerability scanning to detect and remediate CVE-2025-28893 in deployed WordPress installations with the visual-text-editor plugin.

References