The vulnerability exists in BP Direct Menus versions up to and including 1.0.0 and is caused by insufficient sanitization and escaping of attributes passed to the plugin’s ‘bpdm_login’ shortcode. An authenticated attacker with contributor level or higher privileges can inject malicious scripts into the attribute value. When an affected user accesses a page that contains the injected shortcode, the stored script runs in the context of the user’s browser, allowing the attacker to hijack user sessions, deface content, or exfiltrate data. This flaw is identified as CWE‑79, a classic cross‑site scripting weakness that compromises confidentiality, integrity, and availability of the web application for all users who view the compromised pages.

WordPress sites that have the BP Direct Menus plugin installed, specifically any instance of the plugin with version 1.0.0 or older. The vendor is mrwulf, and the vulnerability applies to all affected releases before 1.0.0. No additional affected versions are listed, so any site still running the default maximum version is at risk.

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score is lower than 1 % suggesting a low probability that such an attack will be observed in the wild. The flaw is not currently listed in CISA’s KEV catalog, but because the exploit requires authenticated access, it can be performed by anyone who has contributor-level privileges on the site. Attackers that can obtain or elevate to contributor status could deploy hidden scripts, compromising other users’ sessions and data. The primary attack vector is via normal page rendering after a contributor inserts malicious code into the shortcode. The likelihood of exploitation is low but not negligible, and the impact can affect all users who view the affected content.