CVE-2025-9540
Description
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Markup Markdown WordPress plugin before version 3.20.10 contains a Stored XSS vulnerability allowing contributor+ users to inject JavaScript into links.
Vulnerability
The Markup Markdown WordPress plugin versions prior to 3.20.10 fail to properly sanitize user-supplied input in links. This allows users with contributor role or above to inject arbitrary JavaScript into link fields, which is then stored in the database.
Exploitation
An authenticated attacker with at least contributor privileges can craft a link containing JavaScript. When other users (including admins) view the content, the script executes in their browser, leading to Stored Cross-Site Scripting (XSS). No additional authentication is required beyond the contributor role.
Impact
Successful exploitation permits the attacker to execute JavaScript in the context of other users' sessions. This can result in session hijacking, defacement, or redirection to malicious sites, compromising the security of the WordPress site and its users [1].
Mitigation
The vulnerability is fixed in version 3.20.10. All users are strongly advised to update the plugin immediately. No workarounds are reported.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<3.20.10+ 1 more
- (no CPE)range: <3.20.10
- (no CPE)range: <3.20.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.