MaxA/B WordPress Plugin CVE-2025-28933
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in maxfoundry MaxA/B allows Stored XSS. This issue affects MaxA/B: from n/a through 2.2.2.
AnalysisAI
CSRF vulnerability in the MaxA/B WordPress plugin (versions ≤2.2.2) chains into stored cross-site scripting, allowing remote attackers to inject malicious scripts into the WordPress admin interface via social engineering. The vulnerability requires user interaction (administrator must be tricked into visiting an attacker-controlled page while authenticated) but requires no authentication by the attacker. EPSS probability is low (0.05%, 14th percentile) indicating minimal observed exploitation attempts. No CISA KEV listing or public POC identified at time of analysis, suggesting limited real-world targeting.
Technical ContextAI
This is a CSRF-to-XSS chain vulnerability in MaxA/B, a WordPress A/B testing plugin by maxfoundry. The root cause is CWE-352 (Cross-Site Request Forgery), where the plugin fails to validate anti-CSRF tokens on administrative requests that accept user-controlled input. An attacker exploits this by crafting a malicious web page containing forged requests that execute when a logged-in WordPress administrator visits the page. The forged request injects a stored XSS payload (likely into test configuration settings or variant names), which then executes in the context of any administrator viewing the affected admin page. The CVSS scope change (S:C) indicates the XSS executes in a different security context than the vulnerable component itself, consistent with CSRF-chained attacks where the initial forged request operates at network level but the resulting XSS impacts the browser security origin.
Affected ProductsAI
WordPress MaxA/B plugin by maxfoundry, versions 2.2.2 and earlier. Specific vulnerable version range begins at an unknown earlier version (listed as 'n/a' in NVD data) through version 2.2.2. The plugin provides A/B testing functionality for WordPress sites. Vendor advisory available at Patchstack database: https://patchstack.com/database/wordpress/plugin/maxab/vulnerability/wordpress-maxa-b-plugin-2-2-2-csrf-to-stored-xss-vulnerability. CPE data not provided in available intelligence sources.
RemediationAI
Update WordPress MaxA/B plugin to a patched version newer than 2.2.2 if available. Check the WordPress plugin repository or maxfoundry vendor site for the latest release. As of this analysis, the exact patched version number is not confirmed in available data sources - verify directly with the WordPress plugin repository or vendor advisory at https://patchstack.com/database/wordpress/plugin/maxab/vulnerability/wordpress-maxa-b-plugin-2-2-2-csrf-to-stored-xss-vulnerability. If no patch is available or immediate update is not feasible, implement compensating controls: (1) Disable or uninstall the MaxA/B plugin until a patch is released if A/B testing functionality is not business-critical, (2) Restrict WordPress admin access to trusted IP ranges via firewall rules or .htaccess to reduce social engineering attack surface (note: this limits remote admin access, impacting legitimate remote administration), (3) Train administrators to avoid clicking unknown links while logged into WordPress admin panel (limited effectiveness as users may not recognize sophisticated phishing).
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today