Description
The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `h_tags` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing authenticated contributors to inject and execute arbitrary scripts on pages for all site visitors
Action: Immediate Update
AI Analysis

Impact

The Easy Jump Links Menus plugin is vulnerable to stored cross‑site scripting because the h_tags parameter is not properly sanitized or escaped. This flaw lets any authenticated user with Contributor or higher permissions embed malicious scripts into pages. When a visitor opens an affected page, the injected scripts run in that visitor’s browser, potentially stealing session data, defacing content, or redirecting traffic. The weakness is an example of CWE‑79 – Improper Neutralization of Input During Web Page Generation.

Affected Systems

WordPress sites that use the webradykal Easy Jump Links Menus plugin and are running any release up to and including version 1.0.0 are impacted. The vulnerability exists in all versions prior to 1.0.0.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% shows a low likelihood of exploitation. The flaw is not listed in CISA’s KEV catalog. Exploitation requires a legitimate contributor or higher login and involves inserting malicious content through the plugin’s shortcode editor or page editor. If successfully exploited, the attacker can compromise site visitors’ browsers and potentially compromise the site’s integrity.

Generated by OpenCVE AI on April 21, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Easy Jump Links Menus plugin to the latest version that removes the h_tags vulnerability, or uninstall the plugin if it is not essential.
  • If an upgrade is not yet available, limit the access level allowed to edit shortcodes so that only administrators can modify h_tags, thereby preventing contributors from injecting scripts.
  • Scan the site’s content for any previously injected scripts and remove them, then re‑publish the pages to clear stored malicious code.

Generated by OpenCVE AI on April 21, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Webradykal
Webradykal easy Jump Links Menus
Wordpress
Wordpress wordpress
Vendors & Products Webradykal
Webradykal easy Jump Links Menus
Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `h_tags` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Easy Jump Links Menus <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Webradykal Easy Jump Links Menus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:30.168Z

Reserved: 2025-12-01T21:04:57.378Z

Link: CVE-2025-13860

cve-icon Vulnrichment

Updated: 2025-12-05T13:55:04.483Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T06:16:08.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:15:20Z

Weaknesses