The vulnerability is an improper neutralization of input during web page generation that allows an attacker to store malicious scripts in the Mega Menu Block plugin, leading to stored cross‑site scripting. An attacker who can inject content could cause arbitrary JavaScript execution in the browsers of any visitor to a site that uses the affected menu, potentially enabling session hijacking, credential theft, or defacement. This flaw results in a CVSS score of 6.5, indicating a moderate severity risk. The weakness is identified as CWE‑79, reflecting insufficient input validation and sanitization.

Jetmonsters Mega Menu Block (getwid‑megamenu) for WordPress is affected for all released versions up to and including 1.0.6. The issue is present in the plugin’s storage of menu configuration data and does not affect later releases beyond 1.0.6.

The EPSS score is reported as less than 1 %, suggesting that while exploitation is possible, it is currently considered unlikely in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through the plugin’s administrative interface, where a user with sufficient privileges can create or edit menu items and embed malicious code. An attacker could then trigger the stored script by having any user view the affected menu. The moderate CVSS score, combined with the low EPSS, indicates that the overall risk is moderate but should still be addressed promptly, especially in environments that expose the plugin’s configuration to users with editing rights.