CVE-2025-23881

Vulnerability

Overview

The LJ Custom Menu Links plugin for WordPress (versions up to and including 2.5) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw occurs when the plugin processes certain parameters without adequate sanitization or output encoding, allowing an attacker to inject arbitrary HTML and JavaScript code.

Exploitation

Details

To exploit this vulnerability, an attacker must craft a malicious URL containing the XSS payload and trick a privileged user (such as an administrator) into clicking it. The victim must be logged into the WordPress admin area for the attack to succeed. No direct authentication is required from the attacker, but user interaction is necessary [1]. The reflected nature means the payload is executed immediately in the victim's browser session.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's WordPress admin session. This can lead to session hijacking, defacement, injection of malicious redirects or advertisements, and other actions that compromise the integrity and confidentiality of the affected site [1]. The CVSS v3 score of 7.1 (High) reflects the potential for widespread abuse, and the vulnerability is expected to be targeted in mass-exploit campaigns.

Mitigation

As of the publication date, no official patch has been released for the plugin. However, Patchstack has issued a virtual mitigation rule that blocks attacks until an update becomes available [1]. Users are strongly advised to update the plugin as soon as a patched version is released, or to apply the mitigation rule. If unable to update, consulting with a hosting provider or web developer is recommended.