CVE-2025-28956
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-28956 is a reflected Cross Site Scripting (XSS) vulnerability in the WordPress Backwp plugin versions up to 2.0.2. It allows unauthenticated attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into web pages. These scripts execute when visitors access the affected site, potentially compromising user interactions and security. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts on your website without authentication. This can lead to unauthorized redirects, display of unwanted advertisements, theft of user data, session hijacking, or other malicious activities that degrade user trust and site integrity. The impact depends on how the injected scripts are used and the context of the injection. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the Patchstack virtual patch (vPatch) that mitigates the vulnerability by blocking attack attempts until an official patch is available. This virtual patch can be safely applied and tested to protect affected sites. Additionally, users are advised to seek professional incident response services if their websites have already been compromised. [1]