CVE-2025-28871: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in jwpegram Block Spam By Math Reloaded WordPress plugin affecting versions through 2.2.4. The vulnerability was discovered and reported by Nabil Irawan on February 26, 2025, and was publicly disclosed on March 11, 2025. This stored XSS vulnerability affects the plugin's functionality and requires administrator privileges to exploit (Patchstack).

The vulnerability has been assigned CVE-2025-28871 and received a CVSS v3.1 base score of 4.8 (Medium) according to NVD, while Patchstack assessed it with a score of 5.9 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability is network accessible, requires high privileges, and user interaction for exploitation (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. The impact is considered low severity and is unlikely to be exploited (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects all versions through 2.2.4, and no patch has been released (Patchstack).