CVE-2025-8623 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WeedMaps Menu plugin for WordPress, developed by bmoredrew. This vulnerability affects all versions up to and including 1.2.0. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's weedmaps_menu shortcode. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages generated by the plugin. When other users access these compromised pages, the malicious scripts execute in their browsers. This vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability allows persistent script injection, which can lead to session hijacking, defacement, or further exploitation depending on the injected payload. Since the exploit requires contributor-level access, it implies that attackers must first compromise or have legitimate access to a WordPress account with sufficient privileges, which is a moderate barrier but not uncommon in multi-user WordPress environments. The vulnerability is particularly relevant for websites using the WeedMaps Menu plugin to display menus, commonly in cannabis-related businesses or directories, which may have a specific user base and content management workflows.

For European organizations, this vulnerability poses a risk primarily to websites running WordPress with the WeedMaps Menu plugin installed. The impact includes potential theft of user credentials or session tokens, unauthorized actions performed on behalf of users, and reputational damage due to defacement or malicious content injection. Since the vulnerability requires contributor-level access, the initial compromise vector might be through weak or stolen credentials or social engineering targeting site contributors. Organizations in Europe operating cannabis-related businesses, dispensaries, or directories using this plugin are at heightened risk. The confidentiality and integrity of user data can be compromised, potentially violating GDPR requirements concerning data protection and breach notification. Additionally, the persistent nature of stored XSS can facilitate further attacks such as phishing or malware distribution to site visitors, amplifying the threat. The medium severity rating suggests that while the vulnerability is serious, it is not trivially exploitable by unauthenticated attackers, somewhat limiting the scope of impact. However, given the widespread use of WordPress in Europe and the increasing legalization and regulation of cannabis businesses, affected organizations must prioritize remediation to avoid regulatory penalties and customer trust erosion.

1. Immediate mitigation involves restricting contributor-level access to trusted users only and auditing existing user accounts for suspicious activity. 2. Implement strict input validation and output encoding on all user-supplied data, especially within the weedmaps_menu shortcode attributes. 3. Monitor and sanitize existing content generated by the plugin to detect and remove any injected scripts. 4. Since no official patch is currently linked, organizations should consider disabling the WeedMaps Menu plugin temporarily until a secure update is released. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script payloads targeting the plugin's shortcode parameters. 6. Conduct regular security training for content contributors to reduce the risk of credential compromise. 7. Enable Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 8. Maintain up-to-date backups of website content to facilitate recovery if exploitation occurs. 9. Monitor security advisories from the plugin vendor and WordPress security community for updates or patches addressing this vulnerability.