CVE-2025-28891 Overview
CVE-2025-28891 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress price-calc plugin developed by jazzigor. This vulnerability allows attackers to chain CSRF with Stored Cross-Site Scripting (XSS), enabling malicious actors to execute arbitrary JavaScript code in the context of authenticated users' browsers. The attack requires user interaction, specifically tricking an authenticated administrator into clicking a malicious link or visiting a compromised webpage.
Critical Impact
Attackers can exploit this CSRF-to-Stored-XSS chain to hijack administrator sessions, steal sensitive data, deface websites, or distribute malware to site visitors through persistent malicious scripts.
Affected Products
- WordPress price-calc plugin version 0.6.3 and earlier
- All WordPress installations running vulnerable versions of the price-calc plugin
Discovery Timeline
- 2025-03-11 - CVE-2025-28891 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-28891
Vulnerability Analysis
This vulnerability combines two distinct attack vectors into a dangerous exploitation chain. The price-calc plugin fails to implement proper CSRF token validation on state-changing operations, allowing attackers to forge requests on behalf of authenticated users. When combined with insufficient input sanitization, this enables attackers to inject persistent JavaScript payloads that execute whenever the affected page is loaded.
The attack exploits the trust relationship between the WordPress application and authenticated administrators. Since the plugin does not validate the origin of requests or properly sanitize user-supplied input before storing it in the database, malicious scripts can be permanently embedded in the application's data layer.
Root Cause
The root cause of this vulnerability is twofold: missing CSRF protection (CWE-352) on plugin administrative functions and inadequate output encoding when rendering user-controlled data. The plugin fails to implement WordPress nonce verification for form submissions and does not properly escape data before displaying it in the browser, creating the conditions for both CSRF exploitation and persistent XSS injection.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a malicious webpage or link containing a forged request to the vulnerable plugin endpoint. When an authenticated WordPress administrator visits the attacker-controlled page or clicks the malicious link, the forged request is automatically submitted with the victim's session credentials.
The malicious payload is then stored in the WordPress database without sanitization. Subsequently, any user viewing the affected content executes the injected JavaScript in their browser context, potentially leading to session theft, credential harvesting, or further malicious actions.
Detection Methods for CVE-2025-28891
Indicators of Compromise
- Unexpected JavaScript code or <script> tags in price-calc plugin database entries
- Suspicious administrative changes to plugin settings without corresponding user activity
- Browser console errors or unexpected script executions on pages using price-calc functionality
- Web server logs showing POST requests to plugin endpoints from external referrers
Detection Strategies
- Monitor WordPress database tables associated with the price-calc plugin for HTML/JavaScript injection patterns
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Review web server access logs for unusual patterns of requests to plugin administrative endpoints
- Deploy Web Application Firewall (WAF) rules to detect CSRF and XSS attack signatures
Monitoring Recommendations
- Enable WordPress audit logging to track all plugin configuration changes
- Configure browser-based XSS detection and reporting using CSP report-uri directive
- Set up alerts for database modifications to price-calc related tables outside normal administrative workflows
- Monitor for outbound connections to unknown domains that may indicate data exfiltration
How to Mitigate CVE-2025-28891
Immediate Actions Required
- Disable or remove the price-calc plugin until a patched version is available
- Review price-calc plugin database entries for signs of injected malicious content
- Audit WordPress administrative user sessions and force password resets if compromise is suspected
- Implement a Web Application Firewall with CSRF and XSS protection rules
Patch Information
At the time of publication, no official patch has been confirmed for this vulnerability. Users should monitor the Patchstack Vulnerability Report for updates on remediation. Consider replacing the plugin with an alternative that has active security maintenance.
Workarounds
- Temporarily deactivate the price-calc plugin to eliminate the attack surface
- Implement server-side request filtering to block suspicious form submissions to plugin endpoints
- Add custom WordPress nonce verification to plugin forms if source code modification is feasible
- Restrict administrative access to trusted IP addresses to reduce CSRF exploitation risk
- Enable browser security headers including X-Content-Type-Options, X-Frame-Options, and strict Content Security Policy
# Add security headers in Apache .htaccess
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Content-Security-Policy "script-src 'self'; object-src 'none';"
Header always set X-XSS-Protection "1; mode=block"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
