CVE-2025-28975: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in redqteam Alike - WordPress Custom Post Comparison plugin affecting versions through 3.0.1. The vulnerability was discovered by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity and was publicly disclosed on July 17, 2025. This reflected XSS vulnerability allows unauthenticated attackers to inject malicious scripts into web pages (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 score of 7.1 (High). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is changed (S:C) with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) (Patchstack).

The vulnerability could allow malicious actors to inject and execute arbitrary web scripts or HTML payloads on affected websites. When exploited, attackers could potentially inject malicious scripts that create redirects, display unwanted advertisements, or execute other harmful HTML content that would affect visitors to the compromised site (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately to protect their sites (Patchstack).