Skip to main content

MaxA/B WordPress Plugin CVE-2025-28933

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in maxfoundry MaxA/B allows Stored XSS. This issue affects MaxA/B: from n/a through 2.2.2.

AnalysisAI

CSRF vulnerability in the MaxA/B WordPress plugin (versions ≤2.2.2) chains into stored cross-site scripting, allowing remote attackers to inject malicious scripts into the WordPress admin interface via social engineering. The vulnerability requires user interaction (administrator must be tricked into visiting an attacker-controlled page while authenticated) but requires no authentication by the attacker. EPSS probability is low (0.05%, 14th percentile) indicating minimal observed exploitation attempts. No CISA KEV listing or public POC identified at time of analysis, suggesting limited real-world targeting.

Technical ContextAI

This is a CSRF-to-XSS chain vulnerability in MaxA/B, a WordPress A/B testing plugin by maxfoundry. The root cause is CWE-352 (Cross-Site Request Forgery), where the plugin fails to validate anti-CSRF tokens on administrative requests that accept user-controlled input. An attacker exploits this by crafting a malicious web page containing forged requests that execute when a logged-in WordPress administrator visits the page. The forged request injects a stored XSS payload (likely into test configuration settings or variant names), which then executes in the context of any administrator viewing the affected admin page. The CVSS scope change (S:C) indicates the XSS executes in a different security context than the vulnerable component itself, consistent with CSRF-chained attacks where the initial forged request operates at network level but the resulting XSS impacts the browser security origin.

Affected ProductsAI

WordPress MaxA/B plugin by maxfoundry, versions 2.2.2 and earlier. Specific vulnerable version range begins at an unknown earlier version (listed as 'n/a' in NVD data) through version 2.2.2. The plugin provides A/B testing functionality for WordPress sites. Vendor advisory available at Patchstack database: https://patchstack.com/database/wordpress/plugin/maxab/vulnerability/wordpress-maxa-b-plugin-2-2-2-csrf-to-stored-xss-vulnerability. CPE data not provided in available intelligence sources.

RemediationAI

Update WordPress MaxA/B plugin to a patched version newer than 2.2.2 if available. Check the WordPress plugin repository or maxfoundry vendor site for the latest release. As of this analysis, the exact patched version number is not confirmed in available data sources - verify directly with the WordPress plugin repository or vendor advisory at https://patchstack.com/database/wordpress/plugin/maxab/vulnerability/wordpress-maxa-b-plugin-2-2-2-csrf-to-stored-xss-vulnerability. If no patch is available or immediate update is not feasible, implement compensating controls: (1) Disable or uninstall the MaxA/B plugin until a patch is released if A/B testing functionality is not business-critical, (2) Restrict WordPress admin access to trusted IP ranges via firewall rules or .htaccess to reduce social engineering attack surface (note: this limits remote admin access, impacting legitimate remote administration), (3) Train administrators to avoid clicking unknown links while logged into WordPress admin panel (limited effectiveness as users may not recognize sophisticated phishing).

Share

CVE-2025-28933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy