CVE-2025-13860 in Easy Jump Links Menus Plugin
Summary
by MITRE • 12/05/2025
The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `h_tags` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/06/2025
The Easy Jump Links Menus plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2025-13860 affecting all versions up to and including 1.0.0. This vulnerability resides in the plugin's handling of the h_tags parameter, which fails to implement proper input sanitization measures. The flaw allows authenticated attackers who possess Contributor-level permissions or higher to inject malicious scripts into the plugin's configuration parameters. The vulnerability classification aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws in web applications. The stored nature of this vulnerability means that malicious scripts are persisted in the database and executed whenever affected pages are accessed by any user, including administrators and regular visitors.
The technical implementation of this vulnerability exploits the plugin's insufficient output escaping mechanisms when processing the h_tags parameter. Attackers can leverage this weakness by crafting malicious script payloads within the parameter values and saving them through the plugin's administrative interface. Once saved, these payloads become permanently stored within the WordPress database and execute in the context of any user's browser who accesses pages containing the vulnerable content. The vulnerability specifically targets the plugin's menu generation functionality where header tags are processed, creating an attack surface that can affect multiple pages across a WordPress installation. This type of vulnerability falls under the ATT&CK technique T1566.001 which describes the use of malicious content to execute code through web application vulnerabilities.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a persistent foothold within the WordPress environment. Contributors with access to the plugin's configuration interface can establish backdoors or steal session cookies from administrators who view affected pages. The vulnerability enables attackers to perform actions such as stealing administrative credentials, modifying content, or redirecting users to malicious sites. The privilege escalation potential is significant since contributors typically have access to various content management functions within WordPress, making this vulnerability particularly dangerous in multi-user environments where contributor accounts may be compromised. This vulnerability represents a serious security risk to WordPress installations using the affected plugin version, as it allows for persistent malicious activity without requiring additional attack vectors.
Mitigation strategies for CVE-2025-13860 should prioritize immediate plugin updates to the latest available version which addresses the input sanitization and output escaping deficiencies. Organizations should implement strict access controls to limit Contributor-level permissions to trusted users only, reducing the attack surface for potential exploitation. Network monitoring should be enhanced to detect unusual script injection patterns in plugin configuration parameters. Security headers including Content Security Policy should be implemented to prevent execution of unauthorized scripts. Regular security audits of WordPress plugins should include verification of input validation and output escaping mechanisms. The vulnerability highlights the importance of proper input sanitization practices and demonstrates how insufficient output escaping can lead to persistent XSS vulnerabilities. System administrators should also consider implementing web application firewalls to detect and block malicious script injection attempts targeting known vulnerable parameters. The ATT&CK framework suggests implementing detection measures for suspicious administrative activity patterns that may indicate exploitation attempts, particularly around plugin configuration changes.