CVE-2025-13071

The Custom Admin Menu WordPress plugin, in versions up to and including 1.0.0, is vulnerable to a reflected cross-site scripting (XSS) attack. The root cause is a failure to properly sanitise and escape a user-supplied parameter before it is output back into the page. This omission allows an attacker to inject arbitrary JavaScript code into the generated HTML response [1].

To exploit this vulnerability, an attacker must craft a malicious URL containing the injected payload in the unsanitized parameter and lure a target user into clicking it. The attack is reflected, meaning the malicious script executes in the context of the victim's session upon visiting the crafted link. Notably, the vulnerability can be used against high-privilege users such as administrators, increasing the potential impact [1].

A successful exploit allows the attacker to execute arbitrary JavaScript in the victim's browser. In the context of a WordPress administrator session, this could lead to session hijacking, sensitive data exfiltration, or administrative actions performed on behalf of the victim without their consent. The official description notes that the attack targets high-privilege users, amplifying the severity of the XSS [1].

As of the latest advisory, no fix is available for this vulnerability [1]. The plugin's version 1.0.0 is the last known release, and users are advised to either apply monitoring and input validation workarounds or consider deactivating the plugin until a patch is released. The vulnerability has been publicly disclosed, and the plugin's status may be considered end-of-life if no updates are provided.