Attack Vectors

CVE-2025-57912 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 4.4) affecting Dialogity Free Live Chat (WordPress plugin slug: dialogity-website-chat) in versions up to and including 1.0.3.

The attack requires an authenticated user with administrator-level access or higher to inject malicious script content that is then stored and executed when a page containing the injected content is viewed. According to the advisory, the issue only affects multisite installations and sites where unfiltered_html has been disabled, which can be common in more locked-down or compliance-driven environments.

Reference: CVE-2025-57912 record and Wordfence vulnerability advisory.

Security Weakness

The core weakness is insufficient input sanitization and output escaping in Dialogity Free Live Chat (<= 1.0.3). In practical terms, the plugin does not adequately prevent potentially dangerous content from being saved and later rendered in a way that the browser executes as code.

While the required permissions are high (administrator+), this still matters because administrator access can be obtained through credential theft, password reuse, social engineering, or a separate vulnerability in another plugin/theme. In multisite environments, the impact can feel amplified because administrative actions often influence multiple sites or users.

Technical or Business Impacts

Stored XSS can create meaningful business risk even at medium severity because it can undermine trust and session security. If exploited, scripts may run in a victim’s browser when they access an affected page, potentially enabling actions such as unauthorized changes performed in the user’s session or data exposure within the context of what the user can access.

For marketing directors and executives, the practical impacts often include brand damage (malicious pop-ups/redirects on site pages), campaign disruption (tampered landing pages or analytics interference), and compliance concerns if user-facing experiences are manipulated in a way that affects disclosures, consent flows, or customer communications. Even when the initial attacker needs administrator access, the resulting scripts can target other privileged users who view the compromised content.

Remediation: Update Dialogity Free Live Chat to version 1.0.4 or a newer patched version, as recommended in the advisory.

Similar Attacks

Stored XSS has been used to spread rapidly and damage user trust because it executes in real users’ browsers when they view compromised content. A few well-known examples include:

WordPress Core: CVE-2019-8942 (stored XSS issue documented in WordPress core security history)

MySpace “Samy” worm (a classic stored XSS event that propagated through user profiles)

2010 Twitter “onMouseOver” worm (XSS-driven spread affecting user accounts and timelines)