CVE-2025-28936: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in sakurapixel's Lunar WordPress plugin, tracked as CVE-2025-28936. The vulnerability affects all versions of Lunar up to and including version 1.3.0. This security issue was discovered and reported on February 19, 2025, and was publicly disclosed on March 11, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has received a CVSS v3.1 Base Score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator privileges to exploit (Patchstack).

If exploited, this vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. Given the low severity rating, virtual patching has been deemed unnecessary (Patchstack).