CVE-2025-13860 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Easy Jump Links Menus plugin for WordPress, developed by webradykal. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'h_tags' parameter, which lacks sufficient sanitization and output escaping. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.0.0 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component. No patches or known exploits have been reported at the time of publication, but the risk remains significant due to the ease of exploitation by authenticated users. The vulnerability is categorized under CWE-79, highlighting the classic XSS issue of improper input validation and output encoding in web applications.

For European organizations, this vulnerability poses a risk primarily to WordPress sites utilizing the Easy Jump Links Menus plugin, especially those allowing Contributor-level user submissions. Exploitation can lead to session hijacking, unauthorized actions, and potential data leakage, undermining confidentiality and integrity of web applications. Organizations in sectors such as media, education, and e-commerce that rely on user-generated content are particularly vulnerable. The stored nature of the XSS means that once injected, the malicious code can affect multiple users over time, increasing the attack surface. Given the medium CVSS score and the requirement for authenticated access, the threat is moderate but can escalate if combined with social engineering or privilege escalation. The absence of known exploits reduces immediate risk but should not lead to complacency. Additionally, compromised sites may suffer reputational damage and regulatory scrutiny under GDPR if personal data is exposed or manipulated.

To mitigate this vulnerability, organizations should first restrict Contributor-level access to trusted users and review user roles to minimize unnecessary privileges. Implement strict input validation and output encoding on the 'h_tags' parameter within the plugin code or via web application firewalls (WAFs) to neutralize malicious scripts. Monitor website content for unexpected script injections and conduct regular security audits of WordPress plugins. Since no official patch is currently available, consider temporarily disabling or replacing the Easy Jump Links Menus plugin with a secure alternative. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts. Educate site administrators and contributors about the risks of XSS and safe content practices. Finally, maintain up-to-date backups to enable quick recovery if exploitation occurs.