CVE-2025-9541

The Markup Markdown WordPress plugin (versions before 3.20.10) fails to properly sanitize user-supplied input when creating links. This vulnerability allows contributors and higher-privileged users to include arbitrary JavaScript within link elements, enabling stored cross-site scripting (XSS) attacks [1]. The weakness is classified as CWE-79 (Cross-site Scripting) and falls under OWASP top 10 category A7 [1].

To exploit this flaw, an attacker must have at least the Contributor role in a WordPress site where the plugin is active. The attacker inserts a malicious link containing JavaScript, which is then stored in the database. When other users (including administrators or visitors) view the affected content, the stored script executes in their browsers within the security context of the vulnerable site [1].

Successful exploitation allows the attacker to perform actions on behalf of the victim, such as stealing session cookies, redirecting users to malicious sites, or defacing pages. The CVSS score from the WPScan advisory is 5.9 (medium), indicating moderate severity with high impact to confidentiality and integrity if successfully exploited [1].

The vulnerability has been fixed in version 3.20.10. Users are strongly advised to update the plugin immediately. No workarounds are documented; updating to the patched version is the recommended mitigation [1].