TabGarb Pro CVE-2025-28900
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in webgarb TabGarb Pro allows Stored XSS. This issue affects TabGarb Pro: from n/a through 2.6.
AnalysisAI
Cross-Site Request Forgery (CSRF) in TabGarb Pro WordPress plugin through version 2.6 enables stored cross-site scripting (XSS) attacks. Unauthenticated remote attackers can craft malicious requests that, when executed by authenticated administrators, inject persistent malicious scripts into the plugin's data. EPSS exploitation probability is low at 0.05% (14th percentile), and no public exploit identified at time of analysis, though the attack chain is well-understood for CSRF-to-XSS vulnerabilities in WordPress plugins.
Technical ContextAI
TabGarb Pro is a WordPress plugin for managing browser tabs and organizing content. This vulnerability chains two common web application security flaws: CSRF (CWE-352) allows attackers to execute unauthorized actions on behalf of authenticated users, which in this case leads to stored XSS. The CSRF weakness indicates insufficient anti-CSRF token validation on administrative functions that accept user input. Once the forged request executes, the stored XSS component persists malicious JavaScript in the database, affecting all users who view the compromised content. The changed scope (S:C) in the CVSS vector confirms the XSS component can execute in contexts beyond the vulnerable plugin itself, potentially affecting the entire WordPress installation and other plugins sharing the same origin.
Affected ProductsAI
WordPress TabGarb Pro plugin versions from earliest release through 2.6 are vulnerable. The Patchstack advisory confirms version 2.6 as the last affected release. All WordPress installations running TabGarb Pro 2.6 or earlier are at risk, particularly multi-author sites or those with multiple administrators where social engineering vectors are more viable. Vendor advisory and additional details available at https://patchstack.com/database/wordpress/plugin/tabgarb/vulnerability/wordpress-tabgarb-pro-plugin-2-6-csrf-to-stored-xss-vulnerability.
RemediationAI
Update TabGarb Pro to version 2.7 or later if available, per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/tabgarb/vulnerability/wordpress-tabgarb-pro-plugin-2-6-csrf-to-stored-xss-vulnerability. Verify patch availability through WordPress plugin repository or vendor directly, as the input data does not confirm a released patched version. If no patch is available, implement these compensating controls: disable TabGarb Pro plugin until a fix is released, restrict WordPress admin access to trusted IP ranges via .htaccess or firewall rules (limits CSRF exposure but impacts remote administration), deploy a web application firewall with CSRF protection rules to validate state tokens on admin POST requests (may cause false positives on legitimate admin actions), and educate administrators to avoid clicking external links while logged into WordPress admin panel (difficult to enforce consistently). The stored XSS component means previously injected payloads will persist even after patching, so review TabGarb Pro data tables for suspicious JavaScript after upgrade and scan admin-accessible pages for unexpected script tags.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today