CVE-2025-28988

The WP Front User Submit / Front Editor plugin for WordPress versions up to and including 4.9.3 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a page, which is then executed in the browser of a victim who visits a specially crafted URL.

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page [1]. The attacker does not need authentication to deliver the payload, but the victim must be a privileged user (e.g., an administrator) for the script to execute in a sensitive context. This makes the vulnerability suitable for mass-exploit campaigns targeting WordPress sites regardless of size or popularity [1].

Successful exploitation could allow an attacker to perform actions like redirecting visitors to malicious sites, injecting advertisements, or stealing session cookies [1]. The CVSS score of 7.1 (High) reflects the potential for significant impact with relatively low complexity.

The vulnerability is patched in version 4.9.4 of the plugin [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update is applied [1].