Skip to main content

FTP Sync CVE-2025-28892

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in a2rocklobster FTP Sync allows Stored XSS. This issue affects FTP Sync: from n/a through 1.1.6.

AnalysisAI

Cross-site scripting (XSS) in FTP Sync WordPress plugin versions ≤1.1.6 allows remote attackers to inject malicious scripts into the application via cross-site request forgery (CSRF). Exploitation requires user interaction (victim must be tricked into clicking a malicious link while authenticated), but no authentication is needed by the attacker to initiate the CSRF vector. The changed scope (S:C) indicates potential impact beyond the vulnerable component. No public exploit identified at time of analysis. EPSS score of 0.05% (14th percentile) suggests low probability of mass exploitation.

Technical ContextAI

This vulnerability chains two common web application weaknesses in WordPress plugins: CSRF (CWE-352) enabling stored XSS. FTP Sync is a WordPress plugin that synchronizes files between a local WordPress installation and remote FTP servers. The CSRF vulnerability exists in an administrative function lacking proper nonce validation, allowing attackers to forge requests on behalf of authenticated administrators. The CSRF is leveraged to inject persistent JavaScript payloads into the application (stored XSS), which then execute in the context of other users' browsers. The CVSS changed scope (S:C) indicates the injected script can affect resources beyond the vulnerable plugin itself, typical of XSS that impacts the broader WordPress administrative interface or site frontend.

Affected ProductsAI

FTP Sync WordPress plugin versions from earliest release through 1.1.6 are vulnerable. The affected product is distributed through the WordPress plugin repository as 'ftp-sync'. According to Patchstack's vulnerability database entry at https://patchstack.com/database/wordpress/plugin/ftp-sync/vulnerability/wordpress-ftp-sync-plugin-1-1-6-csrf-to-stored-xss-vulnerability, all versions up to and including 1.1.6 contain the CSRF-to-stored-XSS vulnerability chain. No specific CPE identifier was provided in the available data.

RemediationAI

Uninstall or disable FTP Sync plugin immediately as no vendor-released patch identified at time of analysis. The plugin author (a2rocklobster) has not released version 1.1.7 or higher addressing this vulnerability according to available advisory data from Patchstack (https://patchstack.com/database/wordpress/plugin/ftp-sync/vulnerability/wordpress-ftp-sync-plugin-1-1-6-csrf-to-stored-xss-vulnerability). If FTP synchronization functionality is business-critical, implement compensating controls: restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules, enforce multi-factor authentication for all administrator accounts, deploy web application firewall (WAF) rules to block requests lacking WordPress nonces on admin-post actions, and conduct security awareness training emphasizing CSRF attack recognition (warning administrators not to click external links while logged into WordPress admin panel). Alternative solutions include migrating to actively maintained FTP sync plugins with recent security audits or implementing file synchronization through deployment pipelines outside WordPress. Monitor WordPress admin activity logs for unexpected configuration changes.

Share

CVE-2025-28892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy