Skip to main content

EUVDEUVD-2025-17171

| CVE-2025-28964 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-06-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17171
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon allows Stored XSS. This issue affects Personal Favicon: from n/a through 2.0.

AnalysisAI

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon (versions up to 2.0) that enables Stored XSS attacks. An unauthenticated attacker can craft a malicious request that, when visited by a user, executes arbitrary JavaScript in the victim's browser context with access to sensitive data and session tokens. While no public exploit or KEV status confirmation is available from the provided data, the CVSS 7.1 score and Stored XSS payload persistence indicate moderate-to-high real-world risk, particularly if the plugin has significant user adoption.

Technical ContextAI

The vulnerability stems from insufficient CSRF token validation (CWE-352) in the mangup Personal Favicon plugin, which allows an attacker to forge requests on behalf of authenticated users. The root cause is the absence or improper implementation of anti-CSRF mechanisms (nonces, SameSite cookies, or double-submit tokens) in the favicon upload or configuration endpoints. The plugin likely processes user-supplied favicon data (URLs, image uploads, or metadata) without proper sanitization, enabling Stored XSS payload injection. When other users visit a page containing the malicious favicon reference, the JavaScript executes in their browser context. The affected product is the mangup Personal Favicon WordPress plugin or similar favicon management tool, versions n/a through 2.0, identified by CPE pattern likely cpe:2.3:a:mangup:personal_favicon:*:*:*:*:*:*:*:* (exact CPE unavailable from provided data).

RemediationAI

  • action: Upgrade to patched version; details: Update mangup Personal Favicon to version 2.1 or later (assuming patch released post-vulnerability disclosure). Vendor advisory link not provided in source data; check WordPress.org plugin repository or vendor website.; priority: CRITICAL
  • action: Disable the plugin temporarily; details: If immediate patching is unavailable, disable the mangup Personal Favicon plugin until a patch is released and tested.; priority: HIGH
  • action: Implement WAF rules; details: Deploy Web Application Firewall rules to detect and block requests to favicon upload/config endpoints lacking valid CSRF tokens and to strip or encode suspicious favicon data.; priority: MEDIUM
  • action: Review stored favicons; details: Audit existing favicon configurations for injected JavaScript payloads; reset any suspicious entries to default safe values.; priority: HIGH
  • action: Enable SameSite cookie policy; details: Ensure the WordPress site enforces SameSite=Strict or SameSite=Lax on session cookies to mitigate CSRF risk across plugins.; priority: MEDIUM

Share

EUVD-2025-17171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy