CVE-2025-8080 identifies a stored cross-site scripting (XSS) vulnerability in the Alobaidi Captcha plugin for WordPress, affecting all versions up to and including 1.0.3. The root cause is improper neutralization of input during web page generation (CWE-79), specifically insufficient input sanitization and output escaping in the plugin's settings interface. This flaw enables authenticated attackers with administrator-level permissions or higher to inject arbitrary JavaScript code into plugin settings that persistently execute whenever a user accesses the affected pages. The vulnerability is constrained to WordPress multi-site installations or single-site installations where the unfiltered_html capability is disabled, limiting the attack surface. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, high attack complexity, required high privileges, no user interaction, scope change, and low impact on confidentiality and integrity, with no availability impact. No public exploits have been reported to date. The vulnerability arises because the plugin fails to properly sanitize or escape user-supplied input before rendering it in the web interface, allowing stored malicious scripts to execute in the context of other users' browsers, potentially leading to session hijacking, privilege escalation, or defacement. The issue is particularly relevant in multi-site environments where multiple sites share the same WordPress installation, increasing the potential impact scope.

The primary impact of CVE-2025-8080 is the potential for stored XSS attacks that can compromise the confidentiality and integrity of affected WordPress multi-site installations. An attacker with administrator-level access can inject malicious scripts that execute in the browsers of other users who visit the compromised pages, potentially leading to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, or defacement of site content. Although the vulnerability requires high privileges to exploit, the scope change means that an attacker could affect multiple sites within a multi-site network, amplifying the damage. The vulnerability does not impact availability directly but can undermine trust in the affected websites and lead to reputational damage. Organizations running WordPress multi-site environments with the Alobaidi Captcha plugin are at risk, especially if they have multiple administrators or less stringent access controls. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate CVE-2025-8080, organizations should first restrict administrator-level access to trusted personnel only, minimizing the risk of malicious input injection. Since the vulnerability affects multi-site installations or those with unfiltered_html disabled, consider enabling unfiltered_html where appropriate or isolating critical sites to single-site installations if feasible. Monitor and audit plugin settings changes regularly to detect suspicious modifications. Although no official patch is currently available, users should watch for updates from the Alobaidi plugin developers and apply them promptly once released. As an immediate workaround, administrators can sanitize inputs manually or use security plugins that enforce input validation and output escaping on plugin settings pages. Employ Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Additionally, implement web application firewalls (WAFs) with rules targeting stored XSS patterns in WordPress plugins. Regularly back up WordPress installations to enable quick recovery if exploitation occurs. Finally, educate administrators about the risks of stored XSS and the importance of cautious input handling.