CVE-2025-28895

Vulnerability

Overview

The Custom top bar plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. The attack vector is a cross-site request forgery (CSRF), meaning an attacker can force a privileged user to unknowingly submit a crafted request that stores malicious JavaScript in the plugin's settings [1].

Exploitation

Requirements

Exploitation requires a logged-in user with elevated privileges (e.g., administrator) to be tricked into clicking a malicious link, visiting a crafted page, or submitting a form. The attacker does not need direct authentication but relies on the victim's active session to perform the unintended action [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or further compromise of the WordPress installation. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

Users should update the Custom top bar plugin to a patched version as soon as possible. If an update is not available, consider disabling the plugin or implementing a web application firewall (WAF) rule to block malicious requests. Hosting providers or web developers can assist with immediate remediation [1].