CVE-2025-28894
Published: 11 March 2025
Summary
CVE-2025-28894 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-28894 is a Cross-Site Request Forgery (CSRF) vulnerability in the frucomerci List of Posts from each Category plugin for WordPress (list-posts-by-category) that allows Stored XSS. The issue affects the plugin from unknown initial versions through version 2.0 inclusive, as documented under CWE-352. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.
The vulnerability can be exploited by any unauthenticated attacker over the network who tricks an authenticated user—such as a WordPress administrator or editor—into performing an unintended action via a forged request, typically through a malicious webpage or link that submits data to the plugin. Successful exploitation stores a malicious XSS payload on the site, which executes in the browser context of subsequent visitors, including admins, enabling script injection for potential session hijacking, data theft, or site defacement.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/list-posts-by-category/vulnerability/wordpress-list-of-posts-from-each-category-plugin-for-wordpress-plugin-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7853
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress list-posts-by-category allows Stored XSS.This issue affects List of Posts from each Category plugin for WordPress: from n/a through <= 2.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF-to-stored-XSS vulnerability in the public-facing WordPress plugin directly enables T1190 (exploiting the app over the network). The resulting script injection facilitates T1185 (browser session hijacking) and T1491.002 (external defacement) as explicitly noted in the description.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific CSRF to stored XSS flaw in the frucomerci WordPress plugin by requiring timely patching to version >2.0.
Enforces session authenticity to block forged CSRF requests that submit malicious XSS payloads to the vulnerable plugin endpoint.
Validates information inputs to the plugin to reject malicious XSS payloads even if submitted via CSRF.