CVE-2025-5939 identifies a stored cross-site scripting (XSS) vulnerability in the Telegram for WP plugin for WordPress, maintained by amir-mousavi. The flaw exists in all versions up to and including 1.6.1 and arises from improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape input submitted via the admin settings page, allowing an authenticated attacker with administrator or higher privileges to inject arbitrary JavaScript code. This malicious script is stored persistently and executes whenever any user accesses the compromised page. The vulnerability is constrained to multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting the attack surface. The CVSS 3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, required high privileges, no user interaction, and a scope change. The impact primarily affects confidentiality and integrity, as attackers can execute scripts that may steal sensitive data or manipulate site content. No public exploits have been reported yet, but the vulnerability poses a risk in environments where the plugin is deployed with the specified configurations. The absence of a patch link suggests that users should monitor the vendor for updates or apply manual mitigations.

The vulnerability allows high-privilege attackers to inject persistent malicious scripts into WordPress sites using the Telegram for WP plugin in multi-site or restricted HTML filtering environments. This can lead to unauthorized disclosure of sensitive information such as administrator session tokens or credentials, unauthorized actions performed on behalf of users, and potential defacement or manipulation of site content. Although exploitation requires administrator-level access, the injected scripts could affect all users visiting the compromised pages, expanding the impact beyond the initial attacker. This undermines the confidentiality and integrity of the affected sites and could facilitate further attacks such as privilege escalation or lateral movement within the network. Organizations relying on this plugin in multi-site WordPress deployments face increased risk of targeted attacks, especially if combined with other vulnerabilities or weak access controls. The medium severity rating reflects the limited scope of exploitation but significant consequences if exploited.

To mitigate CVE-2025-5939, organizations should first verify if they use the Telegram for WP plugin in multi-site WordPress installations or with unfiltered_html disabled. Immediate steps include restricting administrator access to trusted personnel only and auditing existing admin settings for suspicious scripts. Since no official patch is currently available, consider temporarily disabling the plugin or removing it if feasible. Implement strict input validation and output encoding on the admin settings page, either by applying custom code fixes or using security plugins that enforce sanitization. Monitor WordPress logs and admin activity for unusual behavior indicative of attempted exploitation. Additionally, enable Content Security Policy (CSP) headers to limit the impact of injected scripts. Regularly check for vendor updates or security advisories to apply patches promptly once released. Educate administrators about the risks of stored XSS and the importance of cautious input handling in plugin configurations.