CVE-2025-8783
BaseFortify
Publication date: 2025-08-19
Last updated on: 2025-08-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | contact_manager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Contact Manager plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue affecting all versions up to and including 8.6.5. It occurs via the 'title' parameter due to insufficient input sanitization and output escaping. Authenticated attackers with administrator-level access can inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page. This vulnerability specifically affects multi-site installations and installations where the unfiltered_html setting is disabled.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator access to inject malicious scripts into the plugin's pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of the user. Since it is a stored XSS, the malicious code persists on the site until removed. The impact is limited to multi-site installations or those with unfiltered_html disabled, and requires high privileges to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying stored Cross-Site Scripting (XSS) attempts via the 'title' parameter in the Contact Manager plugin on WordPress multisite installations with unfiltered_html disabled. Since the vulnerability requires authenticated administrator access to inject scripts, detection can focus on monitoring HTTP requests and database entries for suspicious script tags or payloads in the 'title' parameter. Commands to detect such payloads could include searching web server logs or database content for suspicious patterns. For example, using grep on server logs: `grep -i '<script' /path/to/access.log` or querying the WordPress database for entries in the Contact Manager plugin tables containing script tags in the 'title' field. However, no specific detection commands are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Contact Manager plugin to version 8.6.6 or later, which includes security improvements and input sanitization enhancements. This update addresses the vulnerability by improving input handling and escaping, as indicated by the security-focused changes in version 8.6.6. Additionally, ensure that only trusted administrators have access, and consider enabling unfiltered_html if appropriate. Monitoring and restricting administrator-level access can reduce risk until the update is applied. [1, 2]