How to fix EUVD-2025-17171?

Within 24 hours: Identify all systems running mangup Personal Favicon and disable the plugin until patched. Within 7 days: Audit user activity logs for suspicious favicon-related requests or stored scripts; implement Web Application Firewall rules to block suspicious input to the favicon functionality. Within 30 days: Monitor the vendor's repository for security patches and apply immediately upon release; consider migrating to alternative favicon solutions if patches remain unavailable.

EUVD-2025-17171

| CVE-2025-28964 HIGH

2025-06-06 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17171

CVE Published

Jun 06, 2025 - 13:15 nvd

HIGH 7.1

Description

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon allows Stored XSS. This issue affects Personal Favicon: from n/a through 2.0.

Analysis

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon (versions up to 2.0) that enables Stored XSS attacks. An unauthenticated attacker can craft a malicious request that, when visited by a user, executes arbitrary JavaScript in the victim's browser context with access to sensitive data and session tokens. While no public exploit or KEV status confirmation is available from the provided data, the CVSS 7.1 score and Stored XSS payload persistence indicate moderate-to-high real-world risk, particularly if the plugin has significant user adoption.

Technical Context

The vulnerability stems from insufficient CSRF token validation (CWE-352) in the mangup Personal Favicon plugin, which allows an attacker to forge requests on behalf of authenticated users. The root cause is the absence or improper implementation of anti-CSRF mechanisms (nonces, SameSite cookies, or double-submit tokens) in the favicon upload or configuration endpoints. The plugin likely processes user-supplied favicon data (URLs, image uploads, or metadata) without proper sanitization, enabling Stored XSS payload injection. When other users visit a page containing the malicious favicon reference, the JavaScript executes in their browser context. The affected product is the mangup Personal Favicon WordPress plugin or similar favicon management tool, versions n/a through 2.0, identified by CPE pattern likely `cpe:2.3:a:mangup:personal_favicon:*:*:*:*:*:*:*:*` (exact CPE unavailable from provided data).

Affected Products

mangup Personal Favicon (0.0 through 2.0 (inclusive))

Remediation

- action: Upgrade to patched version; details: Update mangup Personal Favicon to version 2.1 or later (assuming patch released post-vulnerability disclosure). Vendor advisory link not provided in source data; check WordPress.org plugin repository or vendor website.; priority: CRITICAL - action: Disable the plugin temporarily; details: If immediate patching is unavailable, disable the mangup Personal Favicon plugin until a patch is released and tested.; priority: HIGH - action: Implement WAF rules; details: Deploy Web Application Firewall rules to detect and block requests to favicon upload/config endpoints lacking valid CSRF tokens and to strip or encode suspicious favicon data.; priority: MEDIUM - action: Review stored favicons; details: Audit existing favicon configurations for injected JavaScript payloads; reset any suspicious entries to default safe values.; priority: HIGH - action: Enable SameSite cookie policy; details: Ensure the WordPress site enforces `SameSite=Strict` or `SameSite=Lax` on session cookies to mitigate CSRF risk across plugins.; priority: MEDIUM

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

EUVD-2025-17171 vulnerability details – vuln.today

Back

EUVD-2025-17171

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-17171

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code