CVE-2025-28860
📋 TL;DR
This CSRF vulnerability in the Google News Editors Picks Feed Generator WordPress plugin allows attackers to trick authenticated administrators into executing malicious actions without their knowledge. Successful exploitation leads to stored cross-site scripting (XSS), enabling attackers to inject malicious scripts into the website. All WordPress sites using this plugin version 2.1 and earlier are affected.
💻 Affected Systems
- Google News Editors Picks Feed Generator WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject persistent malicious scripts that steal administrator credentials, deface websites, redirect visitors to malicious sites, or install backdoors for further compromise.
Likely Case
Attackers create fake admin interfaces or forms that trick logged-in administrators into executing actions that inject malicious JavaScript into the site, affecting all visitors.
If Mitigated
With proper CSRF tokens and input validation, the vulnerability would be prevented, requiring attackers to find alternative attack vectors.
🎯 Exploit Status
Exploitation requires social engineering to trick an authenticated administrator into clicking a malicious link while logged into WordPress. The CSRF leads to stored XSS payload execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Google News Editors Picks Feed Generator'. 4. Click 'Update Now' if available. 5. If no update is available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Implement CSRF Protection
WordPressAdd nonce verification to plugin forms and actions to prevent CSRF attacks.
Requires code modification: Add wp_nonce_field() to forms and wp_verify_nonce() checks to form processing
🧯 If You Can't Patch
- Deactivate and remove the Google News Editors Picks Feed Generator plugin from your WordPress installation immediately.
- Implement web application firewall (WAF) rules to block suspicious requests targeting the plugin endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Google News Editors Picks Feed Generator'. If version is 2.1 or earlier, you are vulnerable.Check Version:
wp plugin list --name='google-news-editors-picks-news-feeds' --field=versionVerify Fix Applied:
After updating, verify the plugin version is higher than 2.1 in WordPress admin > Plugins > Installed Plugins.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin admin endpoints without proper referrer headers
- Administrative actions from unexpected IP addresses or user agents
Network Indicators:
- HTTP requests containing malicious script payloads in POST parameters to wp-admin/admin-ajax.php or plugin-specific endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "google-news-editors") AND (http_method="POST" AND NOT referrer CONTAINS own_domain)