Custom top bar CVE-2025-28895
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sumanbiswas013 Custom top bar allows Stored XSS. This issue affects Custom top bar: from n/a through 2.0.2.
AnalysisAI
Stored cross-site scripting (XSS) in the Custom top bar WordPress plugin versions up to 2.0.2 allows remote attackers to inject malicious scripts that execute in victim browsers when they view affected pages. The vulnerability is exploitable via network access without authentication but requires user interaction (victim visiting a page with injected payload). EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation at time of analysis. Patchstack reporting suggests this may be chained with CSRF based on reference URL pattern, though not explicitly confirmed in the CVE description.
Technical ContextAI
This is a classic stored XSS vulnerability (CWE-79) affecting a WordPress plugin that manages custom notification bars. The vulnerability arises from improper neutralization of user input during web page generation - specifically, the plugin fails to sanitize or escape input data before rendering it in HTML output. Unlike reflected XSS, the malicious payload is persisted in the application's data store (database) and served to all users who view the affected pages. The reference URL pattern 'csrf-to-stored-xss' suggests the injection vector may require CSRF to bypass front-end protections, though the CVSS vector PR:N indicates no authentication is strictly required for the underlying XSS. This is a WordPress plugin-specific issue affecting the Custom top bar extension developed by sumanbiswas013, with affected versions spanning through 2.0.2.
Affected ProductsAI
The vulnerability affects Custom top bar WordPress plugin versions from the initial release through version 2.0.2. This is a plugin developed by sumanbiswas013 and distributed through the WordPress plugin ecosystem. Organizations can verify their installation version through the WordPress admin dashboard under Plugins. The Patchstack vulnerability database entry at https://patchstack.com/database/wordpress/plugin/custom-top-bar/ provides vendor-specific details, though the capitalization variance in the second reference URL (Wordpress vs wordpress) suggests potential documentation inconsistency.
RemediationAI
Update Custom top bar plugin to version 2.0.3 or later if available, checking the WordPress plugin repository or contacting the plugin developer sumanbiswas013 directly. As of this analysis, the Patchstack reference (https://patchstack.com/database/wordpress/plugin/custom-top-bar/vulnerability/wordpress-custom-top-bar-plugin-2-0-2-csrf-to-stored-xss-vulnerability) should contain patch availability status and upgrade instructions. If no patched version exists, implement compensating controls: restrict access to Custom top bar configuration settings to trusted administrators only via WordPress role-based access control; implement Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution, though this may break legitimate plugin functionality; enable WordPress's built-in CSRF token validation for all administrative forms if the attack vector involves CSRF. As a last resort, deactivate and remove the Custom top bar plugin entirely if the notification bar functionality is non-critical, replacing it with an actively maintained alternative such as WP Notification Bar or Hello Bar plugins that receive regular security updates.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today