CVE-2025-9493

Vulnerability

Overview The Admin Menu Editor plugin for WordPress, in all versions up to and including 1.14, contains a stored cross-site scripting (XSS) vulnerability. The root cause is insufficient input sanitization and output escaping of the placeholder parameter used in the [ame-user-info] shortcode. This shortcode is intended to display user information and accepts a placeholder attribute for content shown to unauthenticated visitors [1].

Exploitation

An authenticated attacker with at least Author-level access can inject arbitrary web scripts by providing a malicious value for the placeholder parameter when inserting the shortcode into a post or page. The injected script is stored on the server and will execute in the browser of any user who views the affected page, including administrators [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information. The attack requires an authenticated user with Author privileges, limiting the pool of potential attackers but still posing a significant risk to multi-author WordPress sites [1].

Mitigation

The plugin vendor has not yet released a patched version as of the publication date. Users are advised to restrict the use of the vulnerable shortcode, apply the principle of least privilege to user roles, and consider using a Web Application Firewall (WAF) to detect and block XSS payloads until an official update is released [1].