{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12032", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T17:26:33.354Z", "datePublished": "2025-11-25T07:28:19.855Z", "dateUpdated": "2026-04-08T16:42:49.139Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:49.139Z"}, "affected": [{"vendor": "vithanhlam", "product": "Zweb Social Mobile \u2013 \u1ee8ng D\u1ee5ng N\u00fat G\u1ecdi Mobile", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zweb Social Mobile \u2013 \u1ee8ng D\u1ee5ng N\u00fat G\u1ecdi Mobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018vithanhlam_zsocial_save_messager\u2019, 'vithanhlam_zsocial_save_zalo', 'vithanhlam_zsocial_save_hotline', and 'vithanhlam_zsocial_save_contact' parameters in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "ZWeb - Social Mobile <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26d12c52-d08f-4a6c-ba59-0e26dfb33ae5?source=cve"}, {"url": "https://wordpress.org/plugins/zweb-social-mobile/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "timeline": [{"time": "2025-11-24T19:08:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T15:52:19.575459Z", "id": "CVE-2025-12032", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T15:52:22.257Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12032", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T15:52:19.575459Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T15:52:16.693Z"}}], "cna": {"title": "ZWeb - Social Mobile <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "vithanhlam", "product": "Zweb Social Mobile \u2013 \u1ee8ng D\u1ee5ng N\u00fat G\u1ecdi Mobile", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:08:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26d12c52-d08f-4a6c-ba59-0e26dfb33ae5?source=cve"}, {"url": "https://wordpress.org/plugins/zweb-social-mobile/"}], "descriptions": [{"lang": "en", "value": "The Zweb Social Mobile \u2013 \u1ee8ng D\u1ee5ng N\u00fat G\u1ecdi Mobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018vithanhlam_zsocial_save_messager\u2019, 'vithanhlam_zsocial_save_zalo', 'vithanhlam_zsocial_save_hotline', and 'vithanhlam_zsocial_save_contact' parameters in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:49.139Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12032", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:49.139Z", "dateReserved": "2025-10-21T17:26:33.354Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:19.855Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zweb Social Mobile \u2013 \u1ee8ng D\u1ee5ng N\u00fat G\u1ecdi Mobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018vithanhlam_zsocial_save_messager\u2019, 'vithanhlam_zsocial_save_zalo', 'vithanhlam_zsocial_save_hotline', and 'vithanhlam_zsocial_save_contact' parameters in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-12032", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:47.737", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/zweb-social-mobile/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26d12c52-d08f-4a6c-ba59-0e26dfb33ae5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:20:58.737449+00:00", "value": {"mitigation_remediation": ["Upgrade the Zweb Social Mobile plugin to a release newer than 1.0.0 that fixes the input sanitization issue.", "If an update is unavailable, deactivate or delete the plugin from the multisite network to eliminate stored script vectors.", "Manually remove or sanitize any content that was entered through the vithanhlam_zsocial_save_* parameters in the plugin\u2019s settings pages."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting with administrative privileges"}, "threat_synthesis": {"affected_systems": "This flaw affects all installations of the Zweb Social Mobile plugin up to and including version 1.0.0 when deployed on WordPress multisite setups that have the unfiltered_html capability disabled. Only users with administrator privileges who have access to the plugin\u2019s configuration pages can perform the injection.", "description_and_impact": "The Zweb Social Mobile plugin for WordPress is vulnerable to stored cross\u2011site scripting through several admin\u2011only parameters. An attacker who can authenticate as an administrator can submit arbitrary JavaScript that is then saved and rendered on pages accessed by visitors, causing the script to execute whenever those pages are viewed.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires that an attacker first gain administrative access to the site; once the malicious script is stored, it remains active until the plugin is updated or the content is removed."}}}}, "created": "2025-12-01T15:19:24.634943+00:00", "updated": "2026-04-28T10:30:29.013292+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}