CVE-2025-28901: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WordPress Members page only for logged in users plugin, affecting versions up to 1.4.2. The vulnerability was reported on February 24, 2025, and publicly disclosed on March 11, 2025. The vulnerability allows for Stored Cross-Site Scripting (XSS) attacks when exploited (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The technical nature of the vulnerability involves a CSRF weakness that can be leveraged to perform stored XSS attacks (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The attack requires user interaction but can potentially lead to compromise of confidentiality, integrity, and availability of the affected system (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).