Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter

An authenticated attacker with administrator-level permissions can inject arbitrary JavaScript into a menu item's icon field via the WordPress menu editor. The `save_fields()` method [ref_id=1] applies `sanitize_text_field()` which strips some characters but does not prevent script injection. When the menu is rendered on the front end, the `show_menu()` method [ref_id=1] outputs the unsanitized icon value directly into the menu title via `sprintf()`, causing the stored script to execute in any visitor's browser. The advisory notes this only affects multi-site installations and installations where `unfiltered_html` has been disabled.

The vulnerability resides in the `show_menu()` method of the `Menu_Icons_OBFX_Module` class in `obfx_modules/menu-icons/init.php`. The `$icon` value retrieved from `get_post_meta( $menu->ID, 'obfx_menu_icon', true )` is used unsanitized in a `sprintf()` call that constructs the menu title, allowing stored XSS. The `save_fields()` method applies `sanitize_text_field()` on save, but the output in `show_menu()` is never escaped for HTML context.

The patch is not included in the bundle; however, comparing the vulnerable code in version 3.0.6 [ref_id=1] with version 3.0.5 [ref_id=2] shows no change to the `show_menu()` method, indicating the vulnerability exists in both versions. The advisory states the fix requires proper output escaping in the `show_menu()` method — the `$icon` value should be passed through `esc_attr()` or `esc_html()` before being interpolated into the HTML title string. Without a patch diff, the exact remediation cannot be confirmed, but the root cause is the missing escaping on the `$icon` output.