CVE-2025-28964

| EUVD-2025-17171 HIGH
2025-06-06 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17171
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.1

Tags

CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon allows Stored XSS. This issue affects Personal Favicon: from n/a through 2.0.

Analysis

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon (versions up to 2.0) that enables Stored XSS attacks. An unauthenticated attacker can craft a malicious request that, when visited by a user, executes arbitrary JavaScript in the victim's browser context with access to sensitive data and session tokens. While no public exploit or KEV status confirmation is available from the provided data, the CVSS 7.1 score and Stored XSS payload persistence indicate moderate-to-high real-world risk, particularly if the plugin has significant user adoption.

Technical Context

The vulnerability stems from insufficient CSRF token validation (CWE-352) in the mangup Personal Favicon plugin, which allows an attacker to forge requests on behalf of authenticated users. The root cause is the absence or improper implementation of anti-CSRF mechanisms (nonces, SameSite cookies, or double-submit tokens) in the favicon upload or configuration endpoints. The plugin likely processes user-supplied favicon data (URLs, image uploads, or metadata) without proper sanitization, enabling Stored XSS payload injection. When other users visit a page containing the malicious favicon reference, the JavaScript executes in their browser context. The affected product is the mangup Personal Favicon WordPress plugin or similar favicon management tool, versions n/a through 2.0, identified by CPE pattern likely `cpe:2.3:a:mangup:personal_favicon:*:*:*:*:*:*:*:*` (exact CPE unavailable from provided data).

Affected Products

mangup Personal Favicon (0.0 through 2.0 (inclusive))

Remediation

- action: Upgrade to patched version; details: Update mangup Personal Favicon to version 2.1 or later (assuming patch released post-vulnerability disclosure). Vendor advisory link not provided in source data; check WordPress.org plugin repository or vendor website.; priority: CRITICAL - action: Disable the plugin temporarily; details: If immediate patching is unavailable, disable the mangup Personal Favicon plugin until a patch is released and tested.; priority: HIGH - action: Implement WAF rules; details: Deploy Web Application Firewall rules to detect and block requests to favicon upload/config endpoints lacking valid CSRF tokens and to strip or encode suspicious favicon data.; priority: MEDIUM - action: Review stored favicons; details: Audit existing favicon configurations for injected JavaScript payloads; reset any suspicious entries to default safe values.; priority: HIGH - action: Enable SameSite cookie policy; details: Ensure the WordPress site enforces `SameSite=Strict` or `SameSite=Lax` on session cookies to mitigate CSRF risk across plugins.; priority: MEDIUM

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-28964 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy