CVE-2025-12032 is a stored cross-site scripting vulnerability classified under CWE-79 found in the Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile plugin for WordPress. This vulnerability affects all versions up to and including 1.0.0. It specifically involves the parameters 'vithanhlam_zsocial_save_messager', 'vithanhlam_zsocial_save_zalo', 'vithanhlam_zsocial_save_hotline', and 'vithanhlam_zsocial_save_contact', which lack proper input sanitization and output escaping. An attacker with administrator-level privileges on a WordPress multi-site installation where unfiltered_html is disabled can inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising confidentiality and integrity by stealing session tokens, redirecting users, or performing unauthorized actions. The vulnerability requires authenticated high-privilege access, making exploitation more challenging but still significant in environments where administrators may be compromised or malicious. The CVSS 3.1 score of 4.4 reflects a medium severity with network attack vector, high attack complexity, and no user interaction required. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

The primary impact of this vulnerability is the potential for stored XSS attacks that can compromise user sessions, steal sensitive information, or perform unauthorized actions on behalf of users. Since the vulnerability requires administrator-level access to exploit, the risk is elevated in environments where administrator accounts are shared, compromised, or insufficiently protected. Multi-site WordPress installations are particularly affected, which are common in organizations managing multiple sites under a single WordPress instance. Exploitation could lead to defacement, data leakage, or further compromise of the WordPress environment. Although the CVSS score is medium, the scope is significant because injected scripts execute in the context of any user visiting the affected pages, potentially impacting all site visitors and administrators. The lack of known exploits reduces immediate risk, but the vulnerability's presence in a widely used CMS plugin means it could be targeted in the future, especially in regions with high WordPress adoption.

1. Immediately restrict administrator access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privileged account compromise. 2. Monitor and audit administrator activities to detect any suspicious input or changes to the vulnerable parameters. 3. Disable or limit the use of the Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile plugin on multi-site WordPress installations until a patch or update is available. 4. Implement a Web Application Firewall (WAF) with custom rules to detect and block malicious payloads targeting the specified parameters. 5. If possible, enable the unfiltered_html capability to allow administrators to use HTML but be aware this may have other security implications; alternatively, apply manual input validation and output escaping in the plugin code if custom development is feasible. 6. Regularly update WordPress core, plugins, and themes to incorporate security patches as they become available. 7. Educate administrators on the risks of injecting untrusted content and the importance of sanitizing inputs. 8. Consider isolating multi-site installations or limiting plugin usage to single-site environments where the vulnerability does not apply.