CVE-2025-28925: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Hieu Nguyen's WATI Chat and Notification WordPress plugin affecting versions through 1.1.2. The vulnerability was disclosed on March 11, 2025, and has been assigned CVE-2025-28925. The issue allows attackers to perform Stored Cross-Site Scripting (XSS) attacks through CSRF (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and allows unauthenticated attackers to execute unwanted actions under the authentication of privileged users (Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication, potentially leading to stored XSS attacks. While classified as having a low severity impact, successful exploitation could affect the integrity and security of the affected WordPress installations (Patchstack).

The vulnerability has been fixed in version 1.1.5 of the WATI Chat and Notification plugin. Users are advised to update to version 1.1.5 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).