CVE-2025-9372 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Ultimate Multi Design Video Carousel plugin for WordPress, versions up to and including 1.4. The vulnerability arises from insufficient input sanitization and output escaping during web page generation, allowing malicious scripts to be stored in the plugin’s data and executed in the context of users viewing the affected pages. This flaw is exploitable only by authenticated users with editor-level privileges, which means attackers must have elevated access to inject payloads. The vulnerability specifically affects WordPress multi-site installations or single sites where the unfiltered_html capability is disabled, limiting the scope but increasing risk in such configurations. When exploited, the attacker’s script executes in the browser of any user who visits the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The CVSS 3.1 score of 5.5 reflects a medium severity, with network attack vector, low attack complexity, high privileges required, no user interaction, and a scope change. No patches or known exploits are currently reported, but the vulnerability’s presence in a popular WordPress plugin used in multi-site environments makes it a notable risk. The lack of output escaping and input validation are the root causes, highlighting the need for secure coding practices in plugin development.

The primary impact of this vulnerability is the potential for attackers with editor-level access to inject malicious JavaScript that executes in the browsers of users who view the affected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and defacement of website content. Although exploitation requires elevated privileges, the risk is significant in environments where multiple users have editor access or where compromised editor accounts exist. Multi-site WordPress installations are particularly vulnerable, which are common in large organizations, educational institutions, and media companies. The vulnerability does not affect availability but compromises confidentiality and integrity. The medium CVSS score reflects that while the attack complexity is low, the prerequisite of high privileges limits exploitation scope. However, successful exploitation could facilitate further attacks within the network or site, increasing overall risk.

Organizations should immediately audit their WordPress installations to identify the use of the Ultimate Multi Design Video Carousel plugin, especially in multi-site environments. Until an official patch is released, administrators should restrict editor-level access to trusted users only and consider temporarily disabling or removing the plugin in multi-site setups. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections can provide interim protection. Monitoring user activity logs for unusual editor behavior can help detect exploitation attempts. Additionally, enabling Content Security Policy (CSP) headers can mitigate the impact of injected scripts by restricting script execution sources. Developers should update the plugin code to properly sanitize and escape all user inputs and outputs related to the plugin’s data handling. Regular backups and incident response plans should be in place to recover from potential compromises. Finally, organizations should stay alert for official patches or updates from the vendor and apply them promptly once available.