WP Home Page Menu < 3.1 - Admin+ Stored Cross-Site Scripting
Description
The WP Home Page Menu WordPress plugin before 3.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/WP Home Page Menu WordPress plugindescription
- Range: <3.1
Patches
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of plugin settings allows stored cross-site scripting."
Attack vector
An attacker with administrator-level privileges navigates to the plugin's settings page and injects malicious JavaScript into an unsaved setting field. Because the plugin fails to sanitize and escape its settings [CWE-79], the injected payload is stored and later rendered unsanitized in the admin dashboard. This allows stored cross-site scripting even when the `unfiltered_html` capability is disallowed, meaning a low-privileged admin can compromise other admin users or escalate privileges [ref_id=1].
Affected code
The plugin's settings page does not sanitize or escape user-supplied values before outputting them. The advisory does not specify exact file or function names, but the fix was applied in version 3.1 via a changeset at https://plugins.trac.wordpress.org/changeset/2681478 [ref_id=1].
What the fix does
The advisory states the fix was applied in version 3.1 of the WP Home Page Menu plugin [ref_id=1]. The specific changeset (https://plugins.trac.wordpress.org/changeset/2681478) introduces proper sanitization and escaping of the plugin's settings before they are output. This prevents stored XSS by ensuring that any HTML or JavaScript entered into settings fields is neutralized before being rendered in the admin interface.
Preconditions
- authAttacker must have administrator-level access to the WordPress site
- configThe WP Home Page Menu plugin must be installed and active with a version before 3.1
- networkThe plugin's settings page must be accessible to the attacker
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- plugins.trac.wordpress.org/changeset/2681478mitrex_refsource_CONFIRM
- wpscan.com/vulnerability/69b178f3-5951-4879-9bbe-183951d002ecmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.