Members page only for logged in users CVE-2025-28901
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Naren Members page only for logged in users allows Stored XSS. This issue affects Members page only for logged in users: from n/a through 1.4.2.
AnalysisAI
Stored XSS via CSRF in Members page only for logged in users WordPress plugin (versions ≤1.4.2) allows remote attackers to inject malicious scripts that execute when administrators view plugin settings. The attack chain requires tricking an authenticated admin into clicking a malicious link or visiting an attacker-controlled page, which submits a forged request storing XSS payloads in the database. EPSS score of 0.05% (14th percentile) indicates low probability of mass exploitation, and no public exploit code or active exploitation has been identified at time of analysis. This is a CSRF-to-stored-XSS chain requiring social engineering against WordPress administrators.
Technical ContextAI
This vulnerability combines two weakness classes: CWE-352 (Cross-Site Request Forgery) and stored Cross-Site Scripting. WordPress plugins often expose administrative settings pages that accept POST requests to update configuration values. When CSRF protections (WordPress nonces) are missing or improperly validated, attackers can craft malicious HTML forms or JavaScript on external sites that automatically submit requests to the vulnerable plugin's settings endpoint when visited by an authenticated administrator. If input sanitization is also absent, the CSRF payload can include JavaScript code that gets stored in the WordPress database (wp_options table or custom plugin tables) and later executes in administrators' browsers when they view the plugin's settings page. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C indicates network-based attack with low complexity requiring user interaction but no authentication, with changed scope suggesting the XSS can affect resources beyond the vulnerable component's security scope.
Affected ProductsAI
WordPress plugin 'Members page only for logged in users' by developer Naren, versions 1.4.2 and earlier. The vulnerability report from Patchstack (audit@patchstack.com) indicates all versions up to and including 1.4.2 are affected. No CPE identifier is available in the provided data. The plugin is distributed through the WordPress.org plugin repository. Vendor advisory and technical details available at https://patchstack.com/database/wordpress/plugin/members-page-only-for-logged-in-users/vulnerability/wordpress-members-page-only-for-logged-in-users-plugin-1-4-2-csrf-to-stored-xss-vulnerability.
RemediationAI
Update the Members page only for logged in users plugin to version 1.4.3 or later if available, or remove the plugin entirely if updates are not released. Check the WordPress.org plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/members-page-only-for-logged-in-users/vulnerability/wordpress-members-page-only-for-logged-in-users-plugin-1-4-2-csrf-to-stored-xss-vulnerability for confirmed patched versions. If immediate patching is not feasible, implement compensating controls: restrict WordPress admin dashboard access to trusted IP addresses via server firewall rules or .htaccess directives (note this may impact legitimate remote administration), deploy a web application firewall with anti-CSRF rules to validate Origin and Referer headers on POST requests to wp-admin endpoints (may cause false positives on legitimate cross-origin admin tools), and educate administrators not to click external links while logged into WordPress admin sessions (relies on user behavior, limited effectiveness). Review WordPress database tables for suspicious JavaScript stored in plugin settings and audit admin user accounts for unauthorized additions. None of these workarounds fully mitigate the vulnerability and may interfere with normal plugin functionality or administrative workflows.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today