CVE-2025-28977 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-28977?

CVE-2025-28977 has a CVSS score of 7.1 (HIGH). This vulnerability allows attackers to inject malicious scripts into web pages generated by the WP Pipes WordPress plugin, which are then executed in victims' browsers. It affects all WordPress sites using WP Pipes versions up to 1.4.3. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into web pages generated by the WP Pipes WordPress plugin, which are then executed in victims' browsers. It affects all WordPress sites using WP Pipes versions up to 1.4.3. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

ThimPress WP Pipes WordPress Plugin

Versions: n/a through 1.4.3

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with WP Pipes plugin enabled are vulnerable. No special configuration required.

📦 What is this software?

Wp Pipes by Thimpress

View all CVEs affecting Wp Pipes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator session cookies, gains full control of WordPress site, installs backdoors, defaces site, or steals sensitive user data.

🟠

Likely Case

Attacker steals user session cookies to hijack accounts, redirects users to malicious sites, or performs limited actions within the victim's permissions.

🟢

If Mitigated

Script execution is blocked by Content Security Policy (CSP) headers or browser XSS filters, limiting impact to specific browser/configuration combinations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS vulnerabilities are commonly weaponized in phishing campaigns and automated attacks. Exploitation requires user interaction (clicking malicious link).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.4 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wp-pipes/vulnerability/wordpress-wp-pipes-plugin-1-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Pipes plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.4.4+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable WP Pipes Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wp-pipes

Implement Content Security Policy

all

Add CSP headers to block inline script execution

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self';"

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block XSS payloads in request parameters
Restrict plugin access to trusted users only using WordPress role capabilities

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Pipes version. If version is 1.4.3 or earlier, you are vulnerable.

Check Version:

wp plugin get wp-pipes --field=version

Verify Fix Applied:

After updating, verify WP Pipes version shows 1.4.4 or later in WordPress admin plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual GET/POST requests containing script tags or JavaScript code in parameters
Multiple failed login attempts from same IP after suspicious link clicks

Network Indicators:

HTTP requests with suspicious parameters containing <script>, javascript:, or encoded payloads
Outbound connections to unknown domains after user visits specific URLs

SIEM Query:

source="web_logs" AND (uri="*<script>*" OR uri="*javascript:*" OR params="*%3Cscript%3E*") AND plugin="wp-pipes"

📊 Metadata

CVE ID: CVE-2025-28977

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.02% exploit probability (5.9th percentile)

Published: August 20, 2025

Last Updated: December 1, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/wp-pipes/vulnerability/wordpress-wp-pipes-plugin-1-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28977, you might also want to check these: