CVE-2025-28978

Vulnerability

Description The SB Breadcrumbs plugin for WordPress versions 1.0 and earlier contains a reflected Cross-site Scripting (XSS) vulnerability caused by improper neutralization of user input during web page generation [1]. This flaw occurs when the plugin fails to sanitize or escape user-supplied data before including it in output, allowing an attacker to inject arbitrary HTML or JavaScript [1].

Exploitation

Method Exploitation requires user interaction, such as clicking a maliciously crafted link or visiting a specially crafted page [1]. An unauthenticated attacker can craft a URL containing a malicious script payload; once a victim clicks the link, the payload executes in the context of the victim's browser session [1]. No elevated privileges are needed to initiate the attack, though a privileged user must be tricked into performing the action [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts that can perform actions like redirecting visitors to attacker-controlled sites, displaying advertisements, or stealing session cookies [1]. This can lead to defacement, phishing, or further compromise of the WordPress site and its users [1].

Mitigation

Status The vendor has not released an official patch, but Patchstack has provided a virtual mitigation rule to block attacks until an update becomes available [1]. Immediate plug-in update is recommended; if not possible, users should contact their hosting provider for assistance [1].