The vulnerability CVE-2025-49243 affects the sevenspark ShiftNav – Responsive Mobile Menu plugin (versions up to 1.8) and involves improper neutralization of input during web page generation, leading to stored cross-site scripting (XSS). This allows an attacker with at least low privileges and requiring user interaction to inject malicious scripts that can execute in the context of other users. The CVSS vector indicates network attack vector, low attack complexity, low privileges required, and user interaction needed, with impacts on confidentiality, integrity, and availability.

Successful exploitation of this stored XSS vulnerability could allow an attacker to execute arbitrary scripts in the context of affected users, potentially leading to data disclosure, modification, or disruption of service. The medium CVSS score reflects these impacts but also the requirement for user interaction and low privileges.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider limiting exposure by restricting plugin usage or applying web application firewall rules to detect and block malicious input. Monitor vendor channels for updates.