CVE-2025-68845

The eDS Responsive Menu plugin for WordPress, versions up to and including 1.2, contains a reflected Cross-Site Scripting (XSS) vulnerability. This is due to improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary web scripts or HTML into the page output [1].

Exploitation

To exploit this vulnerability, an attacker must trick a user (such as a site administrator or a visitor with sufficient privileges) into clicking a specially crafted link or visiting a manipulated page. User interaction is required, but successful exploitation can initiate malicious actions [1]. The attack does not require authentication from the attacker, but the victim must be a logged-in user with at least the role indicated in the required privilege level.

Impact

A successful attack could allow a malicious actor to inject malicious scripts into the website, which execute when other users visit the affected site. This can be used to perform actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing sensitive information from the session [1]. Patchstack rates the CVSS score as 7.1 (High).

Mitigation

At the time of disclosure, no official patch has been released for the vulnerability. Users are advised to update the plugin immediately when a fix becomes available. In the meantime, Patchstack offers a mitigation rule that blocks exploitation attempts until an official patch can be tested and safely applied [1]. If unable to update, consult your hosting provider or developer for assistance.