Cyber Resilience

CVE-2025-28894

High

Published: 11 March 2025

Published
11 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0008 24.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28894 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-28894 is a Cross-Site Request Forgery (CSRF) vulnerability in the frucomerci List of Posts from each Category plugin for WordPress (list-posts-by-category) that allows Stored XSS. The issue affects the plugin from unknown initial versions through version 2.0 inclusive, as documented under CWE-352. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.

The vulnerability can be exploited by any unauthenticated attacker over the network who tricks an authenticated user—such as a WordPress administrator or editor—into performing an unintended action via a forged request, typically through a malicious webpage or link that submits data to the plugin. Successful exploitation stores a malicious XSS payload on the site, which executes in the browser context of subsequent visitors, including admins, enabling script injection for potential session hijacking, data theft, or site defacement.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/list-posts-by-category/vulnerability/wordpress-list-of-posts-from-each-category-plugin-for-wordpress-plugin-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress list-posts-by-category allows Stored XSS.This issue affects List of Posts from each Category plugin for WordPress: from n/a through <= 2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1491.002 External Defacement Impact
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.
Why these techniques?

The CSRF-to-stored-XSS vulnerability in the public-facing WordPress plugin directly enables T1190 (exploiting the app over the network). The resulting script injection facilitates T1185 (browser session hijacking) and T1491.002 (external defacement) as explicitly noted in the description.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23499Shared CWE-352
CVE-2025-23900Shared CWE-352
CVE-2026-29784Shared CWE-352
CVE-2025-25140Shared CWE-352
CVE-2025-23567Shared CWE-352
CVE-2025-31443Shared CWE-352
CVE-2025-31444Shared CWE-352
CVE-2025-22690Shared CWE-352
CVE-2025-26577Shared CWE-352
CVE-2025-30587Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific CSRF to stored XSS flaw in the frucomerci WordPress plugin by requiring timely patching to version >2.0.

prevent

Enforces session authenticity to block forged CSRF requests that submit malicious XSS payloads to the vulnerable plugin endpoint.

prevent

Validates information inputs to the plugin to reject malicious XSS payloads even if submitted via CSRF.

References