CVE-2025-28950

| EUVD-2025-17167 HIGH
2025-06-06 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17167
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.1

Tags

CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in David Shabtai Post Author allows Stored XSS. This issue affects Post Author: from n/a through 1.1.1.

Analysis

Cross-Site Request Forgery (CSRF) vulnerability in David Shabtai's Post Author WordPress plugin (versions through 1.1.1) that enables Stored Cross-Site Scripting (XSS) attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in the browsers of all users viewing affected content, potentially leading to account compromise, data theft, or malware distribution. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating practical exploitability without authentication.

Technical Context

The vulnerability stems from inadequate CSRF token validation (CWE-352) in the David Shabtai Post Author plugin, a WordPress plugin designed to manage and display post authorship information. The root cause is the failure to implement or properly verify anti-CSRF tokens on state-changing operations, allowing attackers to forge requests from victim browsers. The flaw is compounded by insufficient input sanitization, permitting the injection of malicious script content that persists in the database as Stored XSS. The plugin processes user-supplied data without proper escaping before output rendering, violating WordPress security best practices. This combination of CSRF + Stored XSS (rather than CSRF alone) significantly elevates the impact from session hijacking to persistent malicious script injection affecting all site visitors.

Affected Products

David Shabtai Post Author plugin for WordPress, versions 1.1.1 and earlier (all versions from initial release through 1.1.1 are affected). CPE data is not provided in the source material, but the affected product can be identified as: David Shabtai Post Author (WordPress plugin). Specific version range: <=1.1.1. No configuration-specific variants are indicated; all installations of this plugin version are vulnerable. WordPress site administrators using this plugin should assume their installations are at risk.

Remediation

Immediate remediation steps: (1) Deactivate and remove the David Shabtai Post Author plugin from all WordPress installations until a patched version is released; (2) Search the WordPress site database for suspicious content injected via the plugin (look for script tags or unusual modifications to post metadata); (3) If Stored XSS has been injected, sanitize database entries and audit user accounts for unauthorized access; (4) Monitor WordPress logs and user activity for signs of compromise. Long-term: update to the latest patched version once released by the vendor (version >1.1.1 or awaiting vendor advisory). Workaround: If the plugin is essential, temporarily restrict plugin access via WordPress user role management and implement Web Application Firewall (WAF) rules to block script injection patterns. Check the official WordPress.org plugin repository or vendor website for security advisories and patched releases.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-28950 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy