CVE-2025-28893
Published: 26 March 2025
Summary
CVE-2025-28893 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-28893 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified as CWE-94, in the Govind Visual Text Editor WordPress plugin (visual-text-editor). It enables Remote Code Inclusion and affects all versions from n/a through 1.2.1. Published on 2025-03-26, the vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), marking it as critical severity.
A remote attacker with low privileges, such as an authenticated WordPress user, can exploit the vulnerability over the network with low attack complexity and no user interaction. Successful exploitation allows remote code execution, resulting in high-impact compromise of confidentiality, integrity, and availability, with a change in scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/visual-text-editor/vulnerability/wordpress-visual-text-editor-plugin-1-2-1-remote-code-execution-rce-vulnerability?_s_id=cve documents this as a remote code execution issue in Visual Text Editor version 1.2.1 and provides details on mitigation for affected WordPress installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8148
Vulnerability details
Improper Control of Generation of Code ('Code Injection') vulnerability in Govind Visual Text Editor visual-text-editor allows Remote Code Inclusion.This issue affects Visual Text Editor: from n/a through <= 1.2.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a code injection vulnerability (CWE-94) in a public-facing WordPress plugin enabling remote code execution (RCE) with network access and low privileges, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires identification, prioritization, and correction of the specific code injection flaw in visual-text-editor versions <=1.2.1 through timely patching.
SI-10 directly prevents code injection by enforcing validation of user inputs to the vulnerable text editor functionality.
RA-5 mandates vulnerability scanning to detect and remediate CVE-2025-28893 in deployed WordPress installations with the visual-text-editor plugin.