FTP Sync CVE-2025-28892
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in a2rocklobster FTP Sync allows Stored XSS. This issue affects FTP Sync: from n/a through 1.1.6.
AnalysisAI
Cross-site scripting (XSS) in FTP Sync WordPress plugin versions ≤1.1.6 allows remote attackers to inject malicious scripts into the application via cross-site request forgery (CSRF). Exploitation requires user interaction (victim must be tricked into clicking a malicious link while authenticated), but no authentication is needed by the attacker to initiate the CSRF vector. The changed scope (S:C) indicates potential impact beyond the vulnerable component. No public exploit identified at time of analysis. EPSS score of 0.05% (14th percentile) suggests low probability of mass exploitation.
Technical ContextAI
This vulnerability chains two common web application weaknesses in WordPress plugins: CSRF (CWE-352) enabling stored XSS. FTP Sync is a WordPress plugin that synchronizes files between a local WordPress installation and remote FTP servers. The CSRF vulnerability exists in an administrative function lacking proper nonce validation, allowing attackers to forge requests on behalf of authenticated administrators. The CSRF is leveraged to inject persistent JavaScript payloads into the application (stored XSS), which then execute in the context of other users' browsers. The CVSS changed scope (S:C) indicates the injected script can affect resources beyond the vulnerable plugin itself, typical of XSS that impacts the broader WordPress administrative interface or site frontend.
Affected ProductsAI
FTP Sync WordPress plugin versions from earliest release through 1.1.6 are vulnerable. The affected product is distributed through the WordPress plugin repository as 'ftp-sync'. According to Patchstack's vulnerability database entry at https://patchstack.com/database/wordpress/plugin/ftp-sync/vulnerability/wordpress-ftp-sync-plugin-1-1-6-csrf-to-stored-xss-vulnerability, all versions up to and including 1.1.6 contain the CSRF-to-stored-XSS vulnerability chain. No specific CPE identifier was provided in the available data.
RemediationAI
Uninstall or disable FTP Sync plugin immediately as no vendor-released patch identified at time of analysis. The plugin author (a2rocklobster) has not released version 1.1.7 or higher addressing this vulnerability according to available advisory data from Patchstack (https://patchstack.com/database/wordpress/plugin/ftp-sync/vulnerability/wordpress-ftp-sync-plugin-1-1-6-csrf-to-stored-xss-vulnerability). If FTP synchronization functionality is business-critical, implement compensating controls: restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules, enforce multi-factor authentication for all administrator accounts, deploy web application firewall (WAF) rules to block requests lacking WordPress nonces on admin-post actions, and conduct security awareness training emphasizing CSRF attack recognition (warning administrators not to click external links while logged into WordPress admin panel). Alternative solutions include migrating to actively maintained FTP sync plugins with recent security audits or implementing file synchronization through deployment pipelines outside WordPress. Monitor WordPress admin activity logs for unexpected configuration changes.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today