Skip to main content

Members page only for logged in users CVE-2025-28901

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:39 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Naren Members page only for logged in users allows Stored XSS. This issue affects Members page only for logged in users: from n/a through 1.4.2.

AnalysisAI

Stored XSS via CSRF in Members page only for logged in users WordPress plugin (versions ≤1.4.2) allows remote attackers to inject malicious scripts that execute when administrators view plugin settings. The attack chain requires tricking an authenticated admin into clicking a malicious link or visiting an attacker-controlled page, which submits a forged request storing XSS payloads in the database. EPSS score of 0.05% (14th percentile) indicates low probability of mass exploitation, and no public exploit code or active exploitation has been identified at time of analysis. This is a CSRF-to-stored-XSS chain requiring social engineering against WordPress administrators.

Technical ContextAI

This vulnerability combines two weakness classes: CWE-352 (Cross-Site Request Forgery) and stored Cross-Site Scripting. WordPress plugins often expose administrative settings pages that accept POST requests to update configuration values. When CSRF protections (WordPress nonces) are missing or improperly validated, attackers can craft malicious HTML forms or JavaScript on external sites that automatically submit requests to the vulnerable plugin's settings endpoint when visited by an authenticated administrator. If input sanitization is also absent, the CSRF payload can include JavaScript code that gets stored in the WordPress database (wp_options table or custom plugin tables) and later executes in administrators' browsers when they view the plugin's settings page. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C indicates network-based attack with low complexity requiring user interaction but no authentication, with changed scope suggesting the XSS can affect resources beyond the vulnerable component's security scope.

Affected ProductsAI

WordPress plugin 'Members page only for logged in users' by developer Naren, versions 1.4.2 and earlier. The vulnerability report from Patchstack (audit@patchstack.com) indicates all versions up to and including 1.4.2 are affected. No CPE identifier is available in the provided data. The plugin is distributed through the WordPress.org plugin repository. Vendor advisory and technical details available at https://patchstack.com/database/wordpress/plugin/members-page-only-for-logged-in-users/vulnerability/wordpress-members-page-only-for-logged-in-users-plugin-1-4-2-csrf-to-stored-xss-vulnerability.

RemediationAI

Update the Members page only for logged in users plugin to version 1.4.3 or later if available, or remove the plugin entirely if updates are not released. Check the WordPress.org plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/members-page-only-for-logged-in-users/vulnerability/wordpress-members-page-only-for-logged-in-users-plugin-1-4-2-csrf-to-stored-xss-vulnerability for confirmed patched versions. If immediate patching is not feasible, implement compensating controls: restrict WordPress admin dashboard access to trusted IP addresses via server firewall rules or .htaccess directives (note this may impact legitimate remote administration), deploy a web application firewall with anti-CSRF rules to validate Origin and Referer headers on POST requests to wp-admin endpoints (may cause false positives on legitimate cross-origin admin tools), and educate administrators not to click external links while logged into WordPress admin sessions (relies on user behavior, limited effectiveness). Review WordPress database tables for suspicious JavaScript stored in plugin settings and audit admin user accounts for unauthorized additions. None of these workarounds fully mitigate the vulnerability and may interfere with normal plugin functionality or administrative workflows.

Share

CVE-2025-28901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy