CVE-2025-28905: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-28905) affects the Featured Posts Grid WordPress plugin through version 1.7. It is classified as a Cross-Site Scripting (XSS) vulnerability that allows for Stored XSS attacks through improper neutralization of input during web page generation. The vulnerability was discovered and reported by researcher 0xd4rk5id3 on February 22, 2025, and was publicly disclosed on March 11, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue stems from improper neutralization of input during web page generation, which can lead to stored Cross-Site Scripting attacks. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows attackers to inject and store malicious scripts that can execute when users access affected pages. This can lead to compromised confidentiality, integrity, and availability of the affected system, with potential for unauthorized data access and manipulation (Patchstack).

As of the disclosure date, there is no official fix available for this vulnerability. Users of the Featured Posts Grid plugin version 1.7 or earlier should consider implementing additional security controls or removing the plugin until a patch is released (Patchstack).