Cyber Resilience

CVE-2025-28901

High

Published: 11 March 2025

Published
11 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0008 24.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28901 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-28901 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "Members page only for logged in users" (slug: members-page-only-for-logged-in-users). This flaw allows Stored XSS and affects all versions of the plugin up to and including 1.4.2. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating a high-severity issue exploitable over the network with low complexity, no required privileges, and user interaction.

An unauthenticated attacker (PR:N) can exploit this CSRF vulnerability by tricking a logged-in user—likely an administrator or authorized user with access to the Members page—into visiting a malicious webpage. This action would forge a request to the vulnerable plugin, enabling the storage of a malicious XSS payload on the Members page. Successful exploitation leads to Stored XSS, potentially allowing the attacker to steal sensitive data (C:L), perform actions on behalf of the victim (I:L), or cause limited denial of service (A:L), with the changed scope (S:C) amplifying impact across contexts.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/members-page-only-for-logged-in-users/vulnerability/wordpress-members-page-only-for-logged-in-users-plugin-1-4-2-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, including recommended mitigations such as updating to a patched version of the plugin beyond 1.4.2. Security practitioners should verify the latest plugin release and apply updates promptly, while also implementing general CSRF protections like token validation where possible.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Naren Members page only for logged in users members-page-only-for-logged-in-users allows Stored XSS.This issue affects Members page only for logged in users: from n/a through <= 1.4.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The CSRF vulnerability in the public-facing WordPress plugin directly enables exploitation of the web application (T1190), and the resulting stored XSS payload facilitates arbitrary JavaScript execution in the browser context of affected users (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-28931Shared CWE-352
CVE-2025-23980Shared CWE-352
CVE-2025-23710Shared CWE-352
CVE-2025-23822Shared CWE-352
CVE-2025-25128Shared CWE-352
CVE-2025-31616Shared CWE-352
CVE-2025-23483Shared CWE-352
CVE-2025-23817Shared CWE-352
CVE-2025-23446Shared CWE-352
CVE-2025-23664Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely remediation of the specific flaw in the WordPress plugin up to version 1.4.2, directly preventing CSRF exploitation leading to Stored XSS.

prevent

Enforces session authenticity mechanisms like anti-CSRF tokens to block unauthenticated attackers from forging requests to store malicious XSS payloads on the Members page.

prevent

Requires validation of inputs to the Members page to reject and sanitize malicious scripts injected via the CSRF vulnerability before storage.

References