CVE-2025-28901
Published: 11 March 2025
Summary
CVE-2025-28901 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-28901 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "Members page only for logged in users" (slug: members-page-only-for-logged-in-users). This flaw allows Stored XSS and affects all versions of the plugin up to and including 1.4.2. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating a high-severity issue exploitable over the network with low complexity, no required privileges, and user interaction.
An unauthenticated attacker (PR:N) can exploit this CSRF vulnerability by tricking a logged-in user—likely an administrator or authorized user with access to the Members page—into visiting a malicious webpage. This action would forge a request to the vulnerable plugin, enabling the storage of a malicious XSS payload on the Members page. Successful exploitation leads to Stored XSS, potentially allowing the attacker to steal sensitive data (C:L), perform actions on behalf of the victim (I:L), or cause limited denial of service (A:L), with the changed scope (S:C) amplifying impact across contexts.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/members-page-only-for-logged-in-users/vulnerability/wordpress-members-page-only-for-logged-in-users-plugin-1-4-2-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, including recommended mitigations such as updating to a patched version of the plugin beyond 1.4.2. Security practitioners should verify the latest plugin release and apply updates promptly, while also implementing general CSRF protections like token validation where possible.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7858
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Naren Members page only for logged in users members-page-only-for-logged-in-users allows Stored XSS.This issue affects Members page only for logged in users: from n/a through <= 1.4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF vulnerability in the public-facing WordPress plugin directly enables exploitation of the web application (T1190), and the resulting stored XSS payload facilitates arbitrary JavaScript execution in the browser context of affected users (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely remediation of the specific flaw in the WordPress plugin up to version 1.4.2, directly preventing CSRF exploitation leading to Stored XSS.
Enforces session authenticity mechanisms like anti-CSRF tokens to block unauthenticated attackers from forging requests to store malicious XSS payloads on the Members page.
Requires validation of inputs to the Members page to reject and sanitize malicious scripts injected via the CSRF vulnerability before storage.