Skip to main content

WP Compare Tables CVE-2025-28883

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Martin WP Compare Tables allows Stored XSS. This issue affects WP Compare Tables: from n/a through 1.0.5.

AnalysisAI

Cross-Site Request Forgery (CSRF) in WP Compare Tables plugin versions up to 1.0.5 enables attackers to chain CSRF with Stored XSS, allowing persistent malicious script injection via forged administrative requests. Reported by Patchstack, this vulnerability carries a 7.1 CVSS score with changed scope, indicating potential lateral impact beyond the vulnerable plugin. EPSS score of 0.05% (14th percentile) suggests low current exploitation probability, with no public exploit code or CISA KEV listing at time of analysis. Primary risk is targeted attacks against WordPress administrators through social engineering.

Technical ContextAI

This vulnerability exploits the lack of CSRF protection (CWE-352) in the WP Compare Tables WordPress plugin, enabling attackers to chain CSRF with Stored Cross-Site Scripting. The plugin fails to implement proper nonce validation or request verification tokens on administrative actions that accept user-controllable data, allowing malicious code injection into database-stored content. The CVSS scope change (S:C) indicates the injected XSS payload can execute in the context of site visitors beyond just the administrator who was CSRF'd, creating a two-stage attack: first compromise admin via CSRF, then leverage stored XSS to impact all users viewing the affected tables. WordPress plugins commonly store table configuration data in the wp_options or custom database tables without sufficient input sanitization or output encoding, creating persistent XSS vectors when combined with CSRF vulnerabilities.

Affected ProductsAI

WordPress WP Compare Tables plugin versions from unknown starting point through version 1.0.5 are confirmed vulnerable per Patchstack database. The vendor is Martin, and the vulnerability was reported by audit@patchstack.com. Full advisory details are available at https://patchstack.com/database/wordpress/plugin/wp-compare-tables/vulnerability/wordpress-wp-compare-tables-plugin-1-0-5-csrf-to-stored-xss-vulnerability. The starting version of the vulnerable range is not specified in available data, suggesting the vulnerability may exist in all versions up to and including 1.0.5.

RemediationAI

Update WP Compare Tables plugin to version 1.0.6 or later if available-verify current version status at official WordPress plugin repository or vendor website. No specific patched version is confirmed in the provided CVE data, so administrators should check https://patchstack.com/database/wordpress/plugin/wp-compare-tables/vulnerability/wordpress-wp-compare-tables-plugin-1-0-5-csrf-to-stored-xss-vulnerability for latest patch availability. If no patch exists, consider deactivating and removing the plugin if not business-critical. As compensating controls until patch deployment: implement Content Security Policy (CSP) headers with strict-dynamic and nonce-based script execution to mitigate stored XSS impact (trade-off: may break legitimate inline scripts requiring theme/plugin compatibility testing), restrict WordPress admin panel access to specific IP addresses via .htaccess or firewall rules (trade-off: reduces mobility for legitimate administrators), and educate administrators to never click links in emails or messages while logged into WordPress dashboard (trade-off: relies on human behavior which is unreliable). Deploy Web Application Firewall (WAF) rules to detect and block common CSRF patterns in POST requests to WordPress admin-ajax.php and admin-post.php endpoints (trade-off: potential false positives on legitimate admin actions requiring rule tuning).

Share

CVE-2025-28883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy