CVE-2025-28989: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in arildur Read More Login WordPress plugin, identified as CVE-2025-28989. The vulnerability affects Read More Login versions through 2.0.3, allowing for Stored XSS attacks. The vulnerability was disclosed on June 6, 2025, and was reported by Nguyen Ngoc Quang Bach (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-site Scripting (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site (Patchstack).

No official fix is available for this vulnerability. Users are urgently advised to consider replacing the software with an alternative as it appears to be abandoned. Note that deactivating the software does not remove the security threat unless a virtual patch is deployed (Patchstack).