Cyber Resilience

CVE-2025-28924

High

Published: 26 March 2025

Published
26 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0019 40.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28924 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 40.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-28924 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Simbul ZenphotoPress (zenphotopress) WordPress plugin. This issue affects all versions of ZenphotoPress from n/a through 1.8 inclusive. The vulnerability was published on 2025-03-26 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this Reflected XSS over the network with low attack complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Exploitation changes the security scope, enabling arbitrary script execution in the victim's browser context, which could result in low-level impacts to confidentiality, integrity, and availability, such as session hijacking or minor data manipulation.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/zenphotopress/vulnerability/wordpress-zenphotopress-plugin-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this Reflected XSS vulnerability specifically in the WordPress ZenphotoPress plugin version 1.8, providing further technical details for security practitioners to assess and address exposure.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simbul ZenphotoPress zenphotopress allows Reflected XSS.This issue affects ZenphotoPress: from n/a through <= 1.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Reflected XSS enables arbitrary browser script execution leading to session hijacking (T1185) and requires user interaction via malicious link (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13918Shared CWE-79
CVE-2025-68880Shared CWE-79
CVE-2025-24686Shared CWE-79
CVE-2025-22332Shared CWE-79
CVE-2025-23520Shared CWE-79
CVE-2025-28899Shared CWE-79
CVE-2026-25018Shared CWE-79
CVE-2025-23699Shared CWE-79
CVE-2025-23836Shared CWE-79
CVE-2025-23632Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 directly mandates filtering information prior to web page generation to neutralize harmful content like untrusted input in reflected XSS attacks.

prevent

SI-10 requires validation of information inputs to reject malicious scripts injected via user-supplied data in the vulnerable WordPress plugin.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws such as this specific CVE through patching the affected ZenphotoPress plugin versions.

References