CVE-2025-13860 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Easy Jump Links Menus plugin for WordPress, developed by webradykal. The flaw arises from improper neutralization of input during web page generation, specifically through the 'h_tags' parameter. Versions up to and including 1.0.0 fail to adequately sanitize or escape this input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the browsers of any users who visit the infected pages, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires no user interaction beyond page access but does require authenticated access with at least Contributor privileges, which are commonly granted in collaborative WordPress environments. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, privileges required, no user interaction, scope change, and limited confidentiality and integrity impacts without availability impact. No patches or known exploits are currently available, but the vulnerability is publicly disclosed. This issue is classified under CWE-79, indicating improper input neutralization during web page generation. The vulnerability affects all plugin versions up to 1.0.0, which may be widely deployed in WordPress installations used by European organizations for content management and web publishing.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications running WordPress with the Easy Jump Links Menus plugin. Attackers with Contributor-level access can inject persistent malicious scripts, which may lead to session hijacking, unauthorized actions, or data theft from users who visit compromised pages. This can result in reputational damage, regulatory non-compliance (especially under GDPR), and potential financial losses. Since the vulnerability affects the scope of the WordPress site and can impact all users accessing the infected pages, the risk extends beyond the initial attacker. Organizations with collaborative content management environments, where multiple users have Contributor or higher roles, are particularly vulnerable. The lack of a patch and absence of known exploits suggest a window of exposure, emphasizing the need for proactive mitigation. The medium CVSS score reflects moderate severity but the potential for exploitation in targeted attacks against European entities with valuable web assets.

1. Immediately review and restrict Contributor-level and higher user permissions to trusted personnel only, minimizing the risk of malicious input injection. 2. Implement additional input validation and output escaping controls at the web application or WAF level to sanitize the 'h_tags' parameter before rendering. 3. Monitor WordPress plugin repositories and vendor communications for official patches or updates addressing this vulnerability and apply them promptly upon release. 4. Conduct regular security audits and code reviews of installed plugins to detect similar input sanitization issues. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 7. Use security plugins that can detect and block XSS payloads or anomalous user behavior. 8. Consider temporarily disabling or replacing the Easy Jump Links Menus plugin if feasible until a secure version is available. These steps go beyond generic advice by focusing on access control, layered defenses, and proactive monitoring tailored to this specific vulnerability.