CVE-2025-28902: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Benjamin Pick Contact Form 7 Select Box Editor Button plugin version 0.6 and earlier. The vulnerability was reported on February 23, 2025, and publicly disclosed on March 11, 2025. This security issue affects WordPress installations using the Contact Form 7 Select Box Editor Button plugin (Patchstack Database).

The vulnerability has been assigned CVE-2025-28902 and is classified as CWE-352 (Cross-Site Request Forgery). According to the CVSS v3.1 scoring system, it has received a base score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability allows malicious actors to potentially force higher privileged users to execute unwanted actions under their current authentication. The impact is considered low severity as it primarily affects the integrity of the system without compromising confidentiality or availability (Patchstack Database).

Currently, there is no official fix available for this vulnerability. Given the low severity of the issue, virtual patching is deemed unnecessary (Patchstack Database).