CVE-2025-28908: 
WordPress vulnerability analysis and mitigation

The CVE-2025-28908 is a Stored Cross-Site Scripting (XSS) vulnerability affecting pipDisqus WordPress plugin through version 1.6. The vulnerability was discovered and disclosed on March 11, 2025, impacting the pipdig pipDisqus plugin, which is a WordPress plugin for managing Disqus comments (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue. It has received a CVSS v3.1 Base Score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires high privileges for exploitation and user interaction (NVD).

This vulnerability could allow a malicious actor with administrator privileges to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when guests visit the affected site (Patchstack).

Users are advised to update to pipDisqus version 1.7 or later, which contains the fix for this vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).