CVE-2025-13071 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Custom Admin Menu WordPress plugin through version 1.0.0. The vulnerability occurs because the plugin does not properly sanitize and escape a parameter before outputting it back to the page, enabling an attacker to inject malicious JavaScript code. This injected code executes in the browser of users who visit a crafted URL, particularly targeting high-privilege users such as administrators. The vulnerability is exploitable remotely without authentication but requires user interaction, such as clicking a malicious link. The CVSS v3.1 base score is 7.1, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). Although no public exploits are currently known, the vulnerability poses a significant risk because it can lead to session hijacking, unauthorized actions, or site defacement if exploited. The plugin’s role in managing admin menus makes the impact more critical as it targets users with elevated privileges. The vulnerability was reserved in November 2025 and published in December 2025, with no patches currently available, emphasizing the need for immediate attention from site administrators.

The impact of CVE-2025-13071 is significant for organizations using the Custom Admin Menu WordPress plugin, especially those with multiple administrators or sensitive data. Successful exploitation can lead to the execution of arbitrary scripts in the context of an admin user, potentially resulting in session hijacking, theft of credentials, unauthorized changes to site configuration, or deployment of further malware. This compromises the confidentiality, integrity, and availability of the affected WordPress sites. Given that WordPress powers a large portion of websites globally, including many business, government, and e-commerce sites, the vulnerability could facilitate targeted attacks against high-value targets. The reflected nature of the XSS means attackers must lure admins into clicking malicious links, which may limit mass exploitation but still poses a serious threat in spear-phishing or targeted attack scenarios. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation once proof-of-concept code becomes available.

To mitigate CVE-2025-13071, organizations should first check for updates or patches from the plugin developer and apply them immediately once available. In the absence of an official patch, administrators can implement input validation and output encoding at the web application firewall (WAF) or reverse proxy level to block or sanitize suspicious parameters associated with the plugin’s vulnerable functionality. Restricting access to the WordPress admin interface by IP whitelisting or VPN can reduce exposure. Educating administrators to avoid clicking on suspicious links and implementing multi-factor authentication (MFA) can limit the impact of session hijacking. Additionally, monitoring logs for unusual admin activity and scanning for injected scripts can help detect exploitation attempts. Disabling or replacing the Custom Admin Menu plugin with a more secure alternative is advisable if immediate patching is not feasible. Regular backups and incident response plans should be maintained to recover quickly from potential compromises.