This vulnerability occurs because the plugin fails to sanitize user input used in admin menu rendering, enabling a stored cross‑site scripting attack. An attacker with sufficient access to create or edit menu items can inject arbitrary scripts that will run in the browsers of site administrators. The flaw is classified as CWE‑79, allowing potential compromise of confidentiality, integrity and availability of the administration interface, and could lead to credential theft or session hijacking. The CVSS score of 5.9 indicates a moderate severity for this exploit.

The issue affects the WordPress plugin Admin Menu Groups by chaimchaikin, versions from the earliest release through 0.1.2. Any WordPress site that has this plugin installed and is running a vulnerable version is exposed.

The EPSS score of less than 1% suggests that exploitation is unlikely but still possible. The vulnerability is not listed in CISA KEV, meaning no known public exploits have been reported yet. The likely attack vector is an attacker who has or can obtain administrator privileges to create or modify menu items; once injected, the payload will execute whenever an admin visits the page that displays the menu, enabling arbitrary JavaScript execution in the admin context. Given the moderate CVSS score and low EPSS, the risk remains moderate, warranting proactive mitigation.