CVE-2025-28925
Published: 11 March 2025
Summary
CVE-2025-28925 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-28925 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin WATI Chat and Notification (wati-chat-and-notification) by Hieu Nguyen. The flaw enables Stored Cross-Site Scripting (XSS) and affects all versions from n/a through 1.1.2.
Attackers can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), resulting in a CVSS v3.1 base score of 7.1. With changed scope (S:C), exploitation allows low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), typically by tricking authenticated users—such as administrators—into submitting malicious requests that store XSS payloads for execution in other users' browsers.
The Patchstack advisory provides further details on this CSRF-to-Stored XSS issue in WATI Chat and Notification version 1.1.2, available at https://patchstack.com/database/Wordpress/Plugin/wati-chat-and-notification/vulnerability/wordpress-wati-chat-and-notification-plugin-1-1-2-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7875
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Hieu Nguyen WATI Chat and Notification wati-chat-and-notification allows Stored XSS.This issue affects WATI Chat and Notification: from n/a through <= 1.1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF-to-stored-XSS vulnerability in the public-facing WordPress plugin directly enables exploitation of the application over the network (T1190) and involves tricking authenticated users via malicious links to trigger the forged requests (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific CSRF-to-Stored XSS flaw in the WATI Chat and Notification WordPress plugin by identifying, patching, and updating vulnerable versions up to 1.1.2.
Enforces session authenticity mechanisms such as CSRF tokens to prevent unauthorized requests that store malicious XSS payloads in the plugin.
Validates and sanitizes user inputs to block malicious XSS scripts from being accepted and stored via the CSRF vulnerability.