CVE-2025-28976: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Email Address Security by WebEmailProtector WordPress plugin, affecting versions up to 3.3.6. The vulnerability was identified on June 30, 2025, and was assigned CVE-2025-28976. This security flaw allows authenticated users with subscriber-level privileges or higher to inject malicious scripts into web pages (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires low attack complexity and low privileges to exploit, but does require user interaction (NVD).

If exploited, this vulnerability could allow malicious actors to inject harmful scripts, including redirects and unwanted advertisements, which would be executed when visitors access the affected website. The impact affects confidentiality, integrity, and availability at a low level for each component (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch immediately until an official fix becomes available (Patchstack).