CVE-2025-3752 is a stored cross-site scripting vulnerability identified in the Able Player accessible HTML5 media player plugin for WordPress, maintained by terrillthompson. The vulnerability exists in all versions up to and including 1.2.1, due to insufficient sanitization and output escaping of the 'preload' parameter. This parameter can be manipulated by authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the affected site. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. The CVSS v3.1 score of 6.4 reflects that the attack can be launched remotely over the network (AV:N), with low complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), and impacts confidentiality and integrity with a scope change (S:C). No known exploits are currently reported in the wild, but the vulnerability poses a risk to any WordPress site using the affected plugin versions. The lack of official patches at the time of reporting necessitates immediate mitigation steps to reduce risk.

The primary impact of this vulnerability is the potential for attackers with Contributor-level access to execute arbitrary JavaScript in the context of the vulnerable WordPress site. This can lead to session hijacking, unauthorized actions on behalf of other users (including administrators), defacement, phishing, or distribution of malware. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the compromised pages, increasing the attack surface. The compromise of user accounts or site integrity can damage organizational reputation, lead to data breaches, or disrupt service availability indirectly through subsequent attacks. Organizations relying on the Able Player plugin for accessible media content face risks of unauthorized content manipulation and loss of trust, especially in sectors requiring high accessibility standards such as education, government, and public services. The medium CVSS score indicates a moderate but significant threat that should not be ignored.

1. Immediately restrict Contributor-level user privileges to trusted individuals only, minimizing the risk of malicious script injection. 2. Implement strict input validation and output encoding on the 'preload' parameter within the plugin code if possible, using secure coding practices to neutralize potentially harmful input. 3. Monitor WordPress logs and user activity for unusual behavior or unexpected content changes in pages using the Able Player plugin. 4. Consider disabling or removing the Able Player plugin temporarily until an official patch or update is released by the vendor. 5. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the 'preload' parameter. 6. Educate site administrators and content contributors about the risks of XSS and safe content management practices. 7. Stay updated with vendor announcements and apply patches promptly once available. 8. Conduct regular security assessments and penetration testing focusing on plugin vulnerabilities and user privilege management.