CVE-2025-8623 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WeedMaps Menu for WordPress plugin developed by bmoredrew. The flaw exists in all versions up to and including 1.2.0, specifically in the handling of the weedmaps_menu shortcode. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the affected page and has a CVSS 3.1 base score of 6.4 (medium severity), reflecting its network attack vector, low attack complexity, and requirement for privileges but no user interaction. The scope is considered changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No public exploits have been reported yet, but the presence of stored XSS in a popular CMS plugin poses a significant risk to WordPress sites using this plugin. The vulnerability was reserved in early August 2025 and published at the end of September 2025. No official patches or updates have been linked yet, indicating the need for immediate attention from site administrators.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any visitors to those pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the attack requires authentication, the risk is somewhat mitigated but remains significant in environments where contributor or higher roles are assigned to multiple users or where accounts may be compromised. The vulnerability affects the confidentiality and integrity of user data and site content but does not directly impact availability. Organizations running WordPress sites with this plugin are at risk of reputational damage, data breaches, and potential regulatory consequences if user data is compromised. The scope of affected systems is limited to sites using the WeedMaps Menu plugin, but given WordPress’s widespread use, the number of potentially vulnerable sites could be substantial.

1. Immediately restrict contributor-level and higher access to trusted users only, minimizing the attack surface. 2. Monitor and audit existing content created via the weedmaps_menu shortcode for suspicious or unauthorized scripts. 3. Apply strict input validation and output escaping in any custom code interacting with the plugin or shortcode. 4. Disable or remove the WeedMaps Menu plugin until an official patch or update is released by the vendor. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin. 6. Educate site administrators and content contributors about the risks of XSS and safe content creation practices. 7. Regularly update WordPress core, themes, and plugins to reduce exposure to known vulnerabilities. 8. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 9. Once available, promptly apply vendor patches or updates addressing this vulnerability.