Skip to main content

TabGarb Pro CVE-2025-28900

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:40 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in webgarb TabGarb Pro allows Stored XSS. This issue affects TabGarb Pro: from n/a through 2.6.

AnalysisAI

Cross-Site Request Forgery (CSRF) in TabGarb Pro WordPress plugin through version 2.6 enables stored cross-site scripting (XSS) attacks. Unauthenticated remote attackers can craft malicious requests that, when executed by authenticated administrators, inject persistent malicious scripts into the plugin's data. EPSS exploitation probability is low at 0.05% (14th percentile), and no public exploit identified at time of analysis, though the attack chain is well-understood for CSRF-to-XSS vulnerabilities in WordPress plugins.

Technical ContextAI

TabGarb Pro is a WordPress plugin for managing browser tabs and organizing content. This vulnerability chains two common web application security flaws: CSRF (CWE-352) allows attackers to execute unauthorized actions on behalf of authenticated users, which in this case leads to stored XSS. The CSRF weakness indicates insufficient anti-CSRF token validation on administrative functions that accept user input. Once the forged request executes, the stored XSS component persists malicious JavaScript in the database, affecting all users who view the compromised content. The changed scope (S:C) in the CVSS vector confirms the XSS component can execute in contexts beyond the vulnerable plugin itself, potentially affecting the entire WordPress installation and other plugins sharing the same origin.

Affected ProductsAI

WordPress TabGarb Pro plugin versions from earliest release through 2.6 are vulnerable. The Patchstack advisory confirms version 2.6 as the last affected release. All WordPress installations running TabGarb Pro 2.6 or earlier are at risk, particularly multi-author sites or those with multiple administrators where social engineering vectors are more viable. Vendor advisory and additional details available at https://patchstack.com/database/wordpress/plugin/tabgarb/vulnerability/wordpress-tabgarb-pro-plugin-2-6-csrf-to-stored-xss-vulnerability.

RemediationAI

Update TabGarb Pro to version 2.7 or later if available, per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/tabgarb/vulnerability/wordpress-tabgarb-pro-plugin-2-6-csrf-to-stored-xss-vulnerability. Verify patch availability through WordPress plugin repository or vendor directly, as the input data does not confirm a released patched version. If no patch is available, implement these compensating controls: disable TabGarb Pro plugin until a fix is released, restrict WordPress admin access to trusted IP ranges via .htaccess or firewall rules (limits CSRF exposure but impacts remote administration), deploy a web application firewall with CSRF protection rules to validate state tokens on admin POST requests (may cause false positives on legitimate admin actions), and educate administrators to avoid clicking external links while logged into WordPress admin panel (difficult to enforce consistently). The stored XSS component means previously injected payloads will persist even after patching, so review TabGarb Pro data tables for suspicious JavaScript after upgrade and scan admin-accessible pages for unexpected script tags.

Share

CVE-2025-28900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy