CVE-2025-8783: 
WordPress vulnerability analysis and mitigation

The Contact Manager plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-8783) in versions up to and including 8.6.5. The vulnerability was discovered on August 18, 2025, and affects the 'title' parameter due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 4.4 (MEDIUM). The attack vector is characterized as Network (AV:N) with High attack complexity (AC:H), requiring High privileges (PR:H), no user interaction (UI:N), and affecting Changed scope (S:C) with Low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (NVD).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability specifically affects multi-site installations and installations where unfiltered_html has been disabled (NVD).

Users should upgrade their Contact Manager plugin to a version newer than 8.6.5 when available. The vulnerability has been identified and tracked in the WordPress plugin repository, indicating that a fix is being developed (WordPress Plugin).