The Easy Jump Links Menus plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-13860. This vulnerability is due to improper neutralization of input during web page generation, specifically in the handling of the 'h_tags' parameter. Versions up to and including 1.0.0 fail to adequately sanitize and escape user-supplied input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the compromised page, potentially affecting all visitors including administrators. The vulnerability does not require user interaction but does require the attacker to be authenticated with low-level privileges, which lowers the barrier to exploitation within compromised or insider environments. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required, no user interaction, and a scope change affecting confidentiality and integrity but not availability. No patches or known exploits are currently available, highlighting the need for proactive mitigation. The vulnerability is classified under CWE-79, a common and dangerous web security flaw that can lead to session hijacking, data theft, or unauthorized actions on behalf of users.

This vulnerability can have significant impacts on organizations running WordPress sites with the Easy Jump Links Menus plugin. An attacker with Contributor-level access can inject persistent malicious scripts that execute in the context of other users, including administrators. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed with elevated privileges, and potential defacement or redirection attacks. The compromise of administrative accounts could lead to full site takeover, data breaches, or further malware deployment. Since the vulnerability affects confidentiality and integrity but not availability, the primary risks are data exposure and unauthorized modifications. The ease of exploitation by low-privilege authenticated users increases risk in environments where user accounts may be compromised or where contributors are not fully trusted. Organizations with public-facing WordPress sites, especially those relying on this plugin, face reputational damage, regulatory compliance issues, and operational disruptions if exploited.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from the plugin vendor once available. In the absence of patches, immediate steps include disabling or uninstalling the Easy Jump Links Menus plugin to eliminate the attack vector. Restrict Contributor-level user permissions and audit existing user accounts to ensure no unauthorized users have access. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'h_tags' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs and site behavior for signs of XSS exploitation or unusual activity. Educate site administrators and contributors about the risks of XSS and safe content management practices. Finally, consider alternative plugins with better security track records if the functionality is essential.