CVE-2025-9332 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin 'Interactive Human Anatomy with Clickable Body Parts' in all versions up to and including 2.6. The vulnerability exists due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of administrator-configured settings. This flaw allows authenticated attackers with administrator-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. The injected scripts execute in the context of any user who visits the affected pages, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users with elevated privileges. The vulnerability is limited to multi-site WordPress installations or those where the 'unfiltered_html' capability is disabled, which restricts HTML filtering. The CVSS 3.1 score of 5.5 reflects a medium severity, with network attack vector, low attack complexity, high privileges required, no user interaction needed, and partial impact on confidentiality and integrity but no impact on availability. No known public exploits have been reported, but the vulnerability poses a risk in environments where the plugin is deployed with the specified configurations. The lack of available patches at the time of reporting necessitates immediate attention to mitigate risk.

The primary impact of this vulnerability is the potential for attackers with administrator-level access to inject malicious scripts that execute in the browsers of users visiting the affected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential privilege escalation within the WordPress environment. Since the vulnerability affects multi-site installations, the scope of impact can be broader, potentially compromising multiple sites managed under a single WordPress instance. Although exploitation requires high privileges, the consequences can be severe in environments where multiple administrators or users with elevated permissions exist. The vulnerability does not affect availability but compromises confidentiality and integrity of data and user sessions. Organizations relying on this plugin for interactive anatomy content in educational, medical, or training websites may face reputational damage and data breaches if exploited.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations to identify if the 'Interactive Human Anatomy with Clickable Body Parts' plugin is installed and used in multi-site configurations or with 'unfiltered_html' disabled. Since no official patch is currently available, administrators should restrict plugin usage to trusted users only and consider temporarily disabling or uninstalling the plugin until a fix is released. Implement strict role-based access controls to limit administrator privileges and monitor admin activities for suspicious behavior. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting the plugin's admin settings. Additionally, enable Content Security Policy (CSP) headers to reduce the impact of injected scripts. Regularly update WordPress core and plugins and subscribe to vendor advisories to apply patches promptly once available. Finally, conduct security awareness training for administrators to recognize and prevent injection of malicious content.