CVE-2025-28928
Published: 26 March 2025
Summary
CVE-2025-28928 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates reflected XSS by requiring filtering of untrusted input prior to inclusion in dynamically generated web pages.
Addresses the root cause by validating and sanitizing external inputs that could contain malicious scripts reflected back to users.
Ensures timely remediation of the specific flaw in the WordPress plugin through identification, patching, and verification.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly maps to T1190 (exploiting public-facing applications) and enables T1185 (browser session hijacking) via malicious script execution in the victim's browser context as described.
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sureshdsk Are you robot google recaptcha for wordpress are-you-robot-recaptcha allows Reflected XSS.This issue affects Are you robot google recaptcha for wordpress: from n/a through <= 2.2.
Deeper analysisAI
CVE-2025-28928 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin "Are you robot google recaptcha for wordpress" (are-you-robot-recaptcha) developed by sureshdsk. The issue impacts all versions from n/a through 2.2, allowing malicious input to be reflected in web page generation without proper neutralization.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can craft malicious payloads delivered via links or inputs that trick authenticated users into triggering the XSS, achieving low-level impacts on confidentiality, integrity, and availability with a changed scope, such as session hijacking or script execution in the victim's browser context.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/are-you-robot-recaptcha/vulnerability/wordpress-are-you-robot-google-recaptcha-for-wordpress-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS in plugin version 2.2 and provides vulnerability details for affected WordPress installations.
Details
- CWE(s)