Skip to main content

Custom top bar CVE-2025-28895

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 25, 2026 - 00:42 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 25, 2026 - 00:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sumanbiswas013 Custom top bar allows Stored XSS. This issue affects Custom top bar: from n/a through 2.0.2.

AnalysisAI

Stored cross-site scripting (XSS) in the Custom top bar WordPress plugin versions up to 2.0.2 allows remote attackers to inject malicious scripts that execute in victim browsers when they view affected pages. The vulnerability is exploitable via network access without authentication but requires user interaction (victim visiting a page with injected payload). EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation at time of analysis. Patchstack reporting suggests this may be chained with CSRF based on reference URL pattern, though not explicitly confirmed in the CVE description.

Technical ContextAI

This is a classic stored XSS vulnerability (CWE-79) affecting a WordPress plugin that manages custom notification bars. The vulnerability arises from improper neutralization of user input during web page generation - specifically, the plugin fails to sanitize or escape input data before rendering it in HTML output. Unlike reflected XSS, the malicious payload is persisted in the application's data store (database) and served to all users who view the affected pages. The reference URL pattern 'csrf-to-stored-xss' suggests the injection vector may require CSRF to bypass front-end protections, though the CVSS vector PR:N indicates no authentication is strictly required for the underlying XSS. This is a WordPress plugin-specific issue affecting the Custom top bar extension developed by sumanbiswas013, with affected versions spanning through 2.0.2.

Affected ProductsAI

The vulnerability affects Custom top bar WordPress plugin versions from the initial release through version 2.0.2. This is a plugin developed by sumanbiswas013 and distributed through the WordPress plugin ecosystem. Organizations can verify their installation version through the WordPress admin dashboard under Plugins. The Patchstack vulnerability database entry at https://patchstack.com/database/wordpress/plugin/custom-top-bar/ provides vendor-specific details, though the capitalization variance in the second reference URL (Wordpress vs wordpress) suggests potential documentation inconsistency.

RemediationAI

Update Custom top bar plugin to version 2.0.3 or later if available, checking the WordPress plugin repository or contacting the plugin developer sumanbiswas013 directly. As of this analysis, the Patchstack reference (https://patchstack.com/database/wordpress/plugin/custom-top-bar/vulnerability/wordpress-custom-top-bar-plugin-2-0-2-csrf-to-stored-xss-vulnerability) should contain patch availability status and upgrade instructions. If no patched version exists, implement compensating controls: restrict access to Custom top bar configuration settings to trusted administrators only via WordPress role-based access control; implement Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution, though this may break legitimate plugin functionality; enable WordPress's built-in CSRF token validation for all administrative forms if the attack vector involves CSRF. As a last resort, deactivate and remove the Custom top bar plugin entirely if the notification bar functionality is non-critical, replacing it with an actively maintained alternative such as WP Notification Bar or Hello Bar plugins that receive regular security updates.

Share

CVE-2025-28895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy