CVE-2025-28936

Vulnerability

Description The WordPress Lunar plugin (lunar-sell-photos-online) contains a stored cross-site scripting (XSS) vulnerability in versions up to and including 1.3.0. The plugin fails to properly neutralize input during web page generation, allowing malicious scripts to be stored on the server and later executed in the browsers of visitors [1]. This is classified as Improper Neutralization of Input During Web Page Generation (CWE-79).

Exploitation

Exploitation requires the attacker to have a role that can submit content (e.g., any logged-in user with post/submission privileges), but no special elevated privileges are needed beyond that. The attack is considered user-interaction required, meaning a privileged user must perform an action such as clicking a link or submitting a form to trigger the execution of the injected script [1]. The stored XSS payload becomes active when other users — including administrators or visitors — load the affected page.

Impact

Successful exploitation allows the attacker to inject arbitrary JavaScript, HTML, or other payloads. This could be used to redirect visitors to malicious sites, display advertisements, steal session cookies, or perform other actions in the context of the victim's browser [1]. The vulnerability is rated as Medium severity with a CVSS v3 score of 5.9.

Mitigation

The vendor has released a patched version; users must update the Lunar plugin to a version newer than 1.3.0 to remediate the issue. If immediate updating is not possible, users are advised to contact their hosting provider or web developer for assistance [1]. No workaround is detailed, and the vulnerability may be targeted in mass-exploit campaigns.