CVE-2025-28885: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the Fiverr.com Official Search Box WordPress plugin, identified as CVE-2025-28885. The vulnerability affects versions up to 1.0.8 of the plugin and was publicly disclosed on March 24, 2025. The security researcher Abdi Pranata identified this vulnerability which allows authenticated users with subscriber-level access to perform stored XSS attacks (Wordfence Intel).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.5 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating that the vulnerability requires network access, low attack complexity, low privileges, and user interaction (NVD).

The vulnerability allows authenticated users with subscriber-level access to inject malicious scripts that can be stored and executed when other users view the affected pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' browsers (Patchstack).

Website administrators using the Fiverr.com Official Search Box plugin should update to a version newer than 1.0.8 if available. If an update is not available, it is recommended to disable the plugin until a security patch is released (NVD).