The LJ Custom Menu Links plugin for WordPress contains an improper input neutralization flaw that permits reflected cross‑site scripting (CWE‑79). When an attacker crafts a malicious URL and lures a user to visit it, the arbitrary script is injected into the page that the victim’s browser renders, potentially enabling cookie theft, session hijacking, defacement, or redirection to malicious sites. The vulnerability does not appear to allow further compromise beyond the browser context, but it can lead to significant breach of confidentiality and integrity for affected users.

WordPress sites that use the littlejon LJ Custom Menu Links plugin with version 2.5 or earlier are affected. No specific sub‑versions are enumerated beyond the overall <= 2.5 range.

The CVSS score of 7.1 indicates a medium‑to‑high severity. The EPSS of less than 1% suggests that exploitation activity is rare at this time, and the vulnerability is not listed in the CISA KEV catalog. Attackers would most likely target users by delivering a crafted URL that the affected plugin renders without proper sanitization, inferring that the primary attack vector is a direct link entry or menu parameter injection. Because the flaw is reflected, an active network connection is not required; a victim must open a URL or click a menu link that contains the malicious payload.