CVE-2025-28964
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Personal Favicon plugin allows attackers to perform stored cross-site scripting (XSS) attacks. This affects WordPress sites using Personal Favicon plugin versions up to 2.0. Attackers can trick authenticated administrators into executing malicious actions that inject persistent scripts.
💻 Affected Systems
- WordPress Personal Favicon plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that steals administrator credentials, defaces websites, redirects visitors to malicious sites, or installs backdoors for persistent access.
Likely Case
Attackers create fake admin interfaces or forms that trick logged-in administrators into executing actions that inject malicious scripts into the site, affecting all visitors.
If Mitigated
With proper CSRF protections and input validation, the attack would fail or be limited to non-persistent effects.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into visiting a malicious page. The CSRF leads to stored XSS payload injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Personal Favicon' and click 'Update Now'. 4. If update not available, deactivate and delete the plugin, then install version 2.1+ from WordPress repository.
🔧 Temporary Workarounds
Disable Personal Favicon Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate personal-favicon
Implement CSRF Protection Headers
linuxAdd security headers to WordPress to help prevent CSRF attacks.
Add to .htaccess: Header set X-Frame-Options "DENY"
Add to .htaccess: Header set Content-Security-Policy "frame-ancestors 'none'"
🧯 If You Can't Patch
- Remove the Personal Favicon plugin entirely and use alternative favicon management methods.
- Restrict admin panel access to trusted IP addresses only using firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Personal Favicon version. If version is 2.0 or earlier, you are vulnerable.Check Version:
wp plugin get personal-favicon --field=versionVerify Fix Applied:
After updating, verify Personal Favicon plugin version is 2.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin.php?page=personal-favicon
- JavaScript injection in plugin settings or database fields
Network Indicators:
- CSRF attack patterns with referrer headers pointing to external malicious sites
- Unexpected iframe or script loads in admin panel
SIEM Query:
source="wordpress" AND (uri="/wp-admin/admin.php?page=personal-favicon" AND method="POST") AND referrer NOT CONTAINS "yourdomain.com"