CVE-2025-12032
π TL;DR
This stored XSS vulnerability in the Zweb Social Mobile WordPress plugin allows authenticated administrators to inject malicious scripts that execute when users view affected pages. It affects all versions up to 1.0.0, but only impacts multi-site installations or those where unfiltered_html capability is disabled.
π» Affected Systems
- Zweb Social Mobile β Ứng Dα»₯ng NΓΊt Gα»i Mobile WordPress Plugin
β οΈ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
π Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
β οΈ Risk & Real-World Impact
Worst Case
Attackers with admin access could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of users.
Likely Case
Malicious administrators or compromised admin accounts could deface websites, inject cryptocurrency miners, or steal user data through persistent XSS payloads.
If Mitigated
With proper input validation and output escaping, the vulnerability would be prevented entirely, and with unfiltered_html enabled on single-site installations, the risk is eliminated.
π― Exploit Status
Requires administrator-level access to WordPress. Exploitation involves injecting scripts through specific plugin parameters that lack proper sanitization.
π οΈ Fix & Mitigation
β Official Fix
Patch Version: Not available
Vendor Advisory: https://wordpress.org/plugins/zweb-social-mobile/
Restart Required: No
Instructions:
1. Remove the Zweb Social Mobile plugin from WordPress. 2. No official patch exists as of analysis date. 3. Consider alternative plugins with similar functionality.
π§ Temporary Workarounds
Enable unfiltered_html for administrators
allOn single-site WordPress installations, ensure administrators have unfiltered_html capability enabled (default in most configurations).
Disable plugin
linuxDeactivate and remove the vulnerable plugin from WordPress.
wp plugin deactivate zweb-social-mobile
wp plugin delete zweb-social-mobile
π§― If You Can't Patch
- Remove the plugin entirely from WordPress installations.
- Implement web application firewall rules to block XSS payloads targeting the vulnerable parameters.
π How to Verify
Check if Vulnerable:
Check WordPress admin panel for Zweb Social Mobile plugin version 1.0.0 or earlier, and verify if installation is multi-site OR has unfiltered_html disabled for admins.Check Version:
wp plugin get zweb-social-mobile --field=versionVerify Fix Applied:
Verify plugin is removed from WordPress plugins list or confirm unfiltered_html capability is enabled for administrators on single-site installations.π‘ Detection & Monitoring
Log Indicators:
- POST requests containing vithanhlam_zsocial_save_* parameters with script tags or JavaScript payloads
- WordPress admin user actions modifying plugin settings with suspicious content
Network Indicators:
- HTTP requests to WordPress admin-ajax.php or admin-post.php with XSS payloads in parameters
SIEM Query:
source="wordpress.log" AND (vithanhlam_zsocial_save_messager OR vithanhlam_zsocial_save_zalo OR vithanhlam_zsocial_save_hotline OR vithanhlam_zsocial_save_contact) AND (script OR javascript OR onload OR onerror)