CVE-2025-28907 identifies a stored cross-site scripting (XSS) vulnerability in the WP Last Modified plugin for WordPress, developed by Rahul Arora. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently within the plugin's data. When other users or administrators view the affected pages, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or malware delivery. The affected versions include all versions up to and including 0.1, with no patch currently available. The vulnerability does not require authentication to exploit, increasing its risk profile. Stored XSS is particularly dangerous because the malicious payload remains on the server and can affect multiple users over time. Although no known exploits have been observed in the wild, the vulnerability is publicly disclosed and thus may attract attackers. The plugin is used within WordPress environments, which are widely deployed globally, increasing the potential attack surface. The absence of a CVSS score necessitates an assessment based on the nature of the vulnerability, ease of exploitation, and potential impact on confidentiality, integrity, and availability.

The impact of this stored XSS vulnerability can be severe for organizations using the WP Last Modified plugin. Attackers can inject malicious scripts that execute in the context of users' browsers, leading to theft of authentication cookies, session tokens, or other sensitive information. This can result in unauthorized access to administrative accounts or user data. Additionally, attackers may perform actions on behalf of users, deface websites, or distribute malware. The persistent nature of stored XSS means that once exploited, the malicious code can affect multiple users over time, amplifying damage. For organizations relying on WordPress for content management and customer interaction, this can lead to reputational damage, data breaches, and compliance violations. The lack of a patch increases the urgency for mitigation. Since exploitation does not require authentication, any public-facing WordPress site with this plugin is at risk, potentially affecting a broad range of sectors including e-commerce, media, education, and government.

To mitigate this vulnerability, organizations should first check if they are using the WP Last Modified plugin version 0.1 or earlier and disable or remove the plugin if possible until a patch is released. Applying strict input validation and output encoding on all user-supplied data within the plugin can prevent malicious script injection. Web application firewalls (WAFs) should be configured to detect and block XSS payloads targeting the affected plugin endpoints. Administrators should monitor logs for suspicious input patterns and unusual user activity. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts in browsers. Regularly updating WordPress and all plugins to their latest versions is critical once a patch becomes available. Additionally, educating users and administrators about the risks of XSS and safe browsing practices can reduce the impact of potential exploitation.