CVE-2025-28861 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the bhzad WP jQuery Persian Datepicker WordPress plugin, versions up to and including 0.1.0. The vulnerability allows attackers to trick authenticated users into submitting forged requests without their consent, leveraging the victim's credentials and session context. This CSRF flaw can be chained to Stored Cross-Site Scripting (XSS), where malicious scripts are persistently injected into the website's content or database. Stored XSS can lead to session hijacking, credential theft, or further malware distribution. The plugin is designed to provide Persian date-picking functionality in WordPress environments, and its improper request validation or lack of CSRF tokens enables this attack vector. No patches or fixes have been published at the time of disclosure, and no public exploits have been observed in the wild. The vulnerability affects the integrity and confidentiality of affected sites and can degrade availability if exploited for defacement or malware injection. The absence of a CVSS score requires an expert severity assessment based on the attack complexity, impact, and scope.

The impact of CVE-2025-28861 is significant for organizations using the vulnerable WP jQuery Persian Datepicker plugin. Successful exploitation can lead to unauthorized actions performed in the context of authenticated users, including administrators, resulting in persistent Stored XSS attacks. This can compromise user credentials, enable privilege escalation, and facilitate further attacks such as phishing or malware distribution. The integrity of website content and user data can be compromised, and the confidentiality of user sessions may be breached. Additionally, the presence of persistent XSS can damage organizational reputation and trust. Since WordPress powers a large portion of websites globally, and this plugin targets Persian-speaking user bases, organizations in regions with significant Persian language usage are particularly vulnerable. The lack of a patch increases exposure time, raising the risk of exploitation once public proof-of-concept code or exploits emerge.

To mitigate CVE-2025-28861, organizations should immediately audit their WordPress installations for the presence of the bhzad WP jQuery Persian Datepicker plugin and its version. If found, disable or remove the plugin until a security patch is released. Implement Web Application Firewall (WAF) rules to detect and block CSRF attack patterns and suspicious POST requests targeting the plugin's endpoints. Enforce strict Content Security Policy (CSP) headers to limit the impact of potential XSS payloads. Encourage users and administrators to use multi-factor authentication (MFA) to reduce the risk of session hijacking. Monitor web server and application logs for unusual activities indicative of CSRF or XSS exploitation attempts. Stay updated with vendor advisories and apply patches promptly once available. Additionally, developers should review and enhance the plugin’s code to include anti-CSRF tokens and input sanitization to prevent stored XSS.