CVE-2025-28964 in Personal Favicon Plugininfo

Summary

by MITRE • 06/06/2025

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon allows Stored XSS. This issue affects Personal Favicon: from n/a through 2.0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/06/2025

This cross-site request forgery vulnerability exists within the mangup Personal Favicon plugin version 2.0 and earlier, creating a critical security risk that enables attackers to execute stored cross-site scripting attacks. The vulnerability stems from insufficient validation and protection mechanisms in the plugin's handling of user input and request processing, allowing malicious actors to manipulate the application's behavior through crafted requests.

The technical flaw manifests when the plugin fails to implement proper anti-CSRF tokens or validation checks during form submissions and user data processing. This absence of security controls creates an exploitable pathway where attackers can craft malicious requests that appear legitimate to the application, thereby bypassing standard security measures designed to prevent unauthorized modifications. The vulnerability operates at the application layer, specifically targeting the plugin's user input handling and session management mechanisms.

The operational impact of this vulnerability is severe as it enables attackers to inject malicious scripts that persist within the application's data storage and execute whenever affected users access the application. This stored XSS capability allows threat actors to hijack user sessions, steal sensitive information, deface websites, or redirect users to malicious domains. The vulnerability affects all versions from the initial release through version 2.0, indicating a long-standing security flaw that has not been adequately addressed.

Security professionals should note that this vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery conditions, and represents a critical weakness in web application security that can lead to session hijacking and data breaches. The ATT&CK framework categorizes this as a privilege escalation and persistence technique, as attackers can maintain access through stored malicious payloads.

Mitigation strategies include implementing robust anti-CSRF token mechanisms, enforcing strict input validation and sanitization, and ensuring proper session management controls. Plugin developers should also conduct comprehensive security reviews and implement proper access controls to prevent unauthorized modifications. Users should immediately update to the latest version of the plugin and consider implementing additional security measures such as web application firewalls and monitoring for suspicious activities. The vulnerability underscores the importance of maintaining up-to-date software and implementing defense-in-depth strategies to protect against persistent security threats.

Responsible

Patchstack

Reservation

03/11/2025

Disclosure

06/06/2025

Moderation

accepted

CPE

ready

EPSS

0.00135

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!