CVE-2025-50048

Vulnerability

Overview The Automatically Hierarchic Categories in Menu WordPress plugin, versions up to and including 2.0.9, is vulnerable to Stored Cross-Site Scripting (XSS) due to improper neutralization of user input during web page generation [1]. This allows an attacker with sufficient privileges to inject arbitrary web scripts or HTML into the plugin's output, which then gets stored and executed when other users (including site visitors) access the affected page [1].

Exploitation and

Attack Surface Exploitation requires a user with at least contributor-level privileges or higher, as the vulnerable functionality is tied to menu management features. The attacker can craft a payload that, once saved, will be executed in the browsers of other users—including site visitors—who view pages where the hierarchic categories menu is rendered. The vulnerability is part of a broader pattern of XSS issues that can be used in mass-exploit campaigns targeting WordPress sites [1].

Impact

A successful attack allows the malicious actor to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, defacement, or theft of sensitive information such as cookies or credentials. The CVSS v3 base score is 6.5 (Medium), reflecting the need for authenticated access but the potential for significant impact on confidentiality and integrity [1].

Mitigation

Users should update the Automatically Hierarchic Categories in Menu plugin to version 2.0.10 or later, which resolves the vulnerability [1]. As an immediate protective measure, administrators can also enable auto-updates for vulnerable plugins if using the Patchstack service [1]. No workaround other than disabling the plugin is recommended.