Overview
CVE-2025-13860 describes a stored Cross-Site Scripting (XSS) vulnerability found in the Easy Jump Links Menus plugin for WordPress. This vulnerability affects all versions up to and including 1.0.0. The flaw stems from insufficient input sanitization and output escaping of the h_tags parameter. Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to inject malicious JavaScript code into pages. When a user visits a page containing the injected script, the script will execute in their browser, potentially allowing the attacker to steal sensitive information, redirect the user to a malicious website, or perform actions on behalf of the user.
Technical Details
The vulnerability resides within the handling of the h_tags parameter. This parameter is used to define the heading tags to be used in the jump links menu. The plugin fails to properly sanitize the input received for this parameter. Specifically, the code at or near line 52 in the plugin’s main file (easy-jump-links-menus.php) in both versions 1.0.0 and the trunk does not adequately escape the output when rendering the jump links menu. This allows an attacker to inject arbitrary HTML and JavaScript code within the h_tags parameter. The attacker crafts a malicious request containing the XSS payload, which is then stored in the WordPress database. When a page using the Easy Jump Links Menus plugin is displayed, the stored XSS payload is rendered, executing the malicious JavaScript in the victim’s browser.
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 6.4
This score reflects the fact that the vulnerability requires authentication and a certain level of user privileges (Contributor or higher) to exploit, but the impact of a successful exploit can be significant.
Possible Impact
A successful exploitation of this stored XSS vulnerability can lead to several negative consequences, including:
- Account Takeover: An attacker could potentially steal a user’s session cookie and use it to hijack their account.
- Malicious Redirects: The attacker could redirect users to phishing websites designed to steal their credentials.
- Defacement: The attacker could modify the content of the website, defacing it or injecting malicious content.
- Malware Distribution: The attacker could inject malicious code that downloads and executes malware on the user’s computer.
- Data Theft: Sensitive data, such as user information or database credentials, could be stolen.
Mitigation & Patch Steps
The best course of action is to immediately update the Easy Jump Links Menus plugin to a version that patches this vulnerability. If an update is not available, consider temporarily deactivating the plugin until a patched version is released.
As a temporary workaround (use with caution and at your own risk, only if no update is available), you could implement input sanitization on the h_tags parameter using a custom function or a WordPress plugin designed for input validation. However, this is not a substitute for a proper patch from the plugin developer.
