Overview
A Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12032, has been discovered in the Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile plugin for WordPress. This plugin allows users to add social media and contact buttons to their mobile websites. The vulnerability affects all versions of the plugin up to and including 1.0.0.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping of the following parameters: vithanhlam_zsocial_save_messager, vithanhlam_zsocial_save_zalo, vithanhlam_zsocial_save_hotline, and vithanhlam_zsocial_save_contact. Authenticated attackers with administrator-level access can inject arbitrary web scripts into pages via these parameters. When a user accesses a page containing the injected script, the script will execute, potentially allowing the attacker to steal cookies, redirect users to malicious websites, or deface the website.
This vulnerability is only exploitable in multi-site installations and installations where the unfiltered_html capability has been disabled.
CVSS Analysis
- CVE ID: CVE-2025-12032
- Severity: MEDIUM
- CVSS Score: 4.4
- Vector String: (Example: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N – This may vary based on the final CVSS calculation)
A CVSS score of 4.4 indicates a medium severity vulnerability. Exploitation requires administrator-level access and user interaction (clicking a malicious link within the WordPress admin panel or viewing a maliciously crafted page). The impact includes limited information disclosure and limited modification capabilities.
Possible Impact
Successful exploitation of this vulnerability could allow an attacker to:
- Deface the website.
- Redirect users to malicious websites.
- Steal administrator cookies, potentially leading to account takeover.
- Inject malicious code to perform actions on behalf of the administrator.
Mitigation or Patch Steps
The recommended mitigation steps are:
- Update the Plugin: Check for updates to the Zweb Social Mobile plugin within your WordPress dashboard. If an updated version is available, install it immediately. A patched version should address the input sanitization and output escaping issues.
- Remove the Plugin: If an update is not available or you no longer need the plugin, consider removing it from your WordPress installation.
- Restrict User Access: Ensure that only trusted users have administrator-level access to your WordPress installation.
- Monitor Website Activity: Regularly monitor your website for any suspicious activity.
- Web Application Firewall (WAF): Consider using a Web Application Firewall (WAF) to help detect and block XSS attacks.
