CVE-2025-8783 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Contact Manager plugin for WordPress developed by kleor. This vulnerability exists in all versions up to and including 8.6.5. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'title' parameter. An authenticated attacker with administrator-level privileges can exploit this flaw to inject arbitrary JavaScript code into pages generated by the plugin. The malicious script executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. Notably, this vulnerability only affects WordPress multi-site installations or single-site installations where the unfiltered_html capability is disabled, limiting the scope of exploitation. The CVSS v3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, requiring high privileges, no user interaction, and a scope change. The impact on confidentiality and integrity is limited but present, while availability is unaffected. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was publicly disclosed on August 19, 2025, with Wordfence as the assigner. This vulnerability falls under CWE-79, a common web application security weakness related to Cross-Site Scripting attacks.

For European organizations using WordPress multisite installations with the kleor Contact Manager plugin, this vulnerability poses a risk of unauthorized script execution within the context of the affected website. Although exploitation requires administrator privileges, the injected scripts could be used to steal session cookies, perform actions on behalf of users, or deliver further payloads, potentially compromising user data confidentiality and integrity. This is particularly concerning for organizations handling sensitive customer or employee data via contact management systems. The limitation to multisite or unfiltered_html-disabled installations reduces the overall exposure but does not eliminate risk for larger enterprises or managed service providers who commonly use multisite setups. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting other parts of the multisite network. While availability is not impacted, the reputational damage and compliance risks (e.g., GDPR) from data leakage or unauthorized access could be significant. The absence of known exploits in the wild provides a window for mitigation, but organizations should act promptly to prevent targeted attacks.

1. Immediate mitigation should include restricting administrator access to trusted personnel only, as exploitation requires admin privileges. 2. Review and audit all multisite WordPress installations using the kleor Contact Manager plugin to identify affected versions (up to 8.6.5). 3. Temporarily disable or remove the Contact Manager plugin if feasible until a patch is released. 4. Implement strict Content Security Policy (CSP) headers to limit the impact of injected scripts. 5. Monitor logs for unusual administrator activity or unexpected script injections. 6. Educate administrators on the risks of XSS and the importance of input validation. 7. Once available, promptly apply vendor patches or updates addressing this vulnerability. 8. Consider enabling unfiltered_html capability cautiously, as its disabling is a condition for this vulnerability. 9. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'title' parameter. 10. Conduct regular security assessments and penetration tests focusing on multisite WordPress environments.