CVE-2025-28895 is a stored cross-site scripting vulnerability in the Suman Biswas Custom top bar plugin affecting versions up to 2.1. The issue arises from improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that persist and execute in users' browsers. The vulnerability has a CVSS v3.1 base score of 7.1, reflecting network exploitability, low complexity, no required privileges, and user interaction. There is no vendor advisory or patch information available at this time, and the product is not a cloud service. No known active exploitation has been reported.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of users visiting web pages using the vulnerable Custom top bar plugin. This can lead to information disclosure, session hijacking, or other client-side impacts. The CVSS score of 7.1 indicates a high impact on confidentiality, integrity, and availability at a low attack complexity without requiring privileges. However, exploitation requires user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the affected Custom top bar plugin versions or applying any available temporary mitigations recommended by the vendor. Monitor for updates from the vendor or trusted security sources to apply patches promptly once released.