{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9332", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-21T22:12:03.430Z", "datePublished": "2025-10-03T11:17:11.613Z", "dateUpdated": "2026-04-08T16:49:20.577Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:20.577Z"}, "affected": [{"vendor": "clickanatomy", "product": "Interactive Human Anatomy with Clickable Body Parts", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Interactive Human Anatomy with Clickable Body Parts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Interactive Medical Drawing of Human Body <= 2.6 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/445e762c-7e90-4994-8542-31a84bc91388?source=cve"}, {"url": "https://wordpress.org/plugins/interactive-medical-drawing-of-human-body/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-02T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T18:07:57.157032Z", "id": "CVE-2025-9332", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:08:08.113Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9332", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T18:07:57.157032Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:08:04.016Z"}}], "cna": {"title": "Interactive Medical Drawing of Human Body <= 2.6 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "clickanatomy", "product": "Interactive Human Anatomy with Clickable Body Parts", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/445e762c-7e90-4994-8542-31a84bc91388?source=cve"}, {"url": "https://wordpress.org/plugins/interactive-medical-drawing-of-human-body/#developers"}], "descriptions": [{"lang": "en", "value": "The Interactive Human Anatomy with Clickable Body Parts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-03T11:17:11.613Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9332", "state": "PUBLISHED", "dateUpdated": "2025-10-03T18:08:08.113Z", "dateReserved": "2025-08-21T22:12:03.430Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:11.613Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Interactive Human Anatomy with Clickable Body Parts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-9332", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:47.933", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/interactive-medical-drawing-of-human-body/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/445e762c-7e90-4994-8542-31a84bc91388?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:37:35.683045+00:00", "value": {"mitigation_remediation": ["Update the Interactive Human Anatomy plugin to a version newer than 2.6, where the stored XSS flaw has been fixed", "If an update is not currently available, uninstall or disable the plugin across the network to eliminate the attack surface", "Configure WordPress to disallow unfiltered_html for all but super\u2011admin accounts and review all plugin content for proper sanitization to prevent similar issues in the future"], "summary": {"action": "Update", "impact": "Stored Cross\u2011Site Scripting accessible to users with administrator or higher privileges"}, "threat_synthesis": {"affected_systems": "The plugin \"Interactive Human Anatomy with Clickable Body Parts\" from vendor clickanatomy is affected in all released versions up to and including 2.6. The issue surfaces only on WordPress multi\u2011site setups where the unfiltered_html capability is disabled for standard users; it does not impact single\u2011site installations or scenarios where unfiltered_html remains enabled for all users.", "description_and_impact": "An administrator or higher level user can inject arbitrary JavaScript into pages that display the plugin\u2019s content. The injected scripts run automatically for any visitor who views a page that includes the malicious code, potentially leading to credential theft, session hijacking, or defacement. Because the payload is stored within plugin settings, the vulnerability persists until the plugin data is cleaned or the plugin is updated. The weakness is classified as CWE\u201179, a classic stored XSS flaw.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% reflects a very low likelihood of exploitation at this time. The vulnerability is not catalogued in CISA\u2019s KEV list. Exploitation requires authenticated access to the plugin\u2019s administrative settings on a multi\u2011site WordPress network with unfiltered_html disabled, a scenario that limits the attack surface but still exposes high\u2011privileged users to risk. The likely attack vector involves an attacker logging in with an admin or super\u2011admin role, navigating to the plugin settings, and submitting malicious JavaScript that is then executed for any site visitor viewing the affected pages."}}}}, "created": "2025-10-06T14:43:11.079693+00:00", "updated": "2026-04-21T02:45:25.947387+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}