CVE-2025-28986: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability identified in Webaholicson Epicwin Plugin (CVE-2025-28986) allows SQL Injection. This vulnerability affects Epicwin Plugin versions through 1.5. The vulnerability was discovered and reported by Nguyen Xuan Chien on May 5, 2025, and was publicly disclosed on June 6, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.2 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The technical nature of the vulnerability involves a CSRF condition that can be leveraged to perform SQL injection attacks (NVD, Patchstack).

The vulnerability allows an unauthenticated attacker to force higher privileged users to execute unwanted actions under their current authentication. The CSRF vulnerability can be chained with SQL injection capabilities, potentially leading to unauthorized data access and system compromise (Patchstack).

No official fix is currently available for this vulnerability. The recommended action is to remove and replace the software, as it appears to be abandoned and unlikely to receive future updates or fixes (Patchstack).