The Admin Menu Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder’ parameter in all versions up to, and

WORDPRESS

08-09-2025 14:47

CVE-2025-9493 Vulnerabilidad documentada

6.4 MEDIUM

Tags

#wordpress

#site

#plugin

#cross

#web

#menu

#editor

#cross-site

#admin menu editor

#admin

#/admin(.*)menu(.*)editor/iU

#cross-site scripting

#attackers

#authenticated

#arbitrary

#vulnerable

#scripting

#inject

#execute

#attack

#access

Descripción

The Admin Menu Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder’ parameter in all versions up to, and including, 1.14 due insufficient input sanitization output escaping. This makes it possible authenticated attackers, with Author-level access above, inject arbitrary web scripts pages that will execute whenever a user accesses an injected page.

https://plugins.trac.wordpress.org/browser/admin-menu-editor/tags/1.14/includes/shortcodes.php#L42

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3353790 40admin-menu-editor&old=3329611 40admin-menu-editor&sfp_email=&sfph_mail=#file857

https://wordpress.org/plugins/admin-menu-editor/

https://www.wordfence.com/threat-intel/vulnerabilities/id/69b9d4e1-895b-4199-bc4e-489afd9d36eb?source=cve

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-9493

Resultados similares

Coincidentes en almenos en 50% de los tags

08-09-2025 CVE-2025-9442
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scri...
Ver información

08-09-2025 CVE-2025-9126
The Smart Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t...
Ver información