The Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile WordPress plugin is vulnerable to stored cross-site scripting via the parameters 'vithanhlam_zsocial_save_messager', 'vithanhlam_zsocial_save_zalo', 'vithanhlam_zsocial_save_hotline', and 'vithanhlam_zsocial_save_contact'. This vulnerability exists in all versions up to and including 1.0.0 due to improper neutralization of input during web page generation (CWE-79). An attacker with administrator-level access can inject arbitrary scripts that execute when users access the affected pages. The vulnerability specifically impacts multi-site installations or those where the unfiltered_html capability is disabled. The CVSS 3.1 vector indicates network attack vector, high attack complexity, high privileges required, no user interaction, scope changed, and low confidentiality and integrity impact with no availability impact.

An authenticated attacker with administrator privileges can exploit this vulnerability to inject and execute arbitrary JavaScript in the context of affected pages. This can lead to limited confidentiality and integrity impacts, such as session hijacking or content manipulation, but does not affect availability. The vulnerability only affects multi-site WordPress installations or those with unfiltered_html disabled, limiting the attack surface. There are no known exploits in the wild at this time.

No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. Since exploitation requires administrator access and specific WordPress configurations (multi-site or unfiltered_html disabled), restricting administrator access and reviewing plugin usage may reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.