CVE-2025-9332: 
WordPress vulnerability analysis and mitigation

The Interactive Human Anatomy with Clickable Body Parts plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-9332) discovered on October 2, 2025. This vulnerability affects all versions up to and including 2.6. The plugin was closed on October 1, 2025, pending a full security review (NVD Database, Wordfence Intel).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 score of 5.5 (Medium), and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The security flaw stems from insufficient input sanitization and output escaping in the admin settings. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD Database).

The plugin has been temporarily closed as of October 1, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version is released (WordPress Plugin).