Description
The Admin Menu Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder’ parameter in all versions up to, and including, 1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowed for authenticated users with Contributor level or higher in WordPress
Action: Patch
AI Analysis

Impact

This vulnerability arises from insufficient input sanitization and output escaping of the ‘placeholder’ parameter in the Admin Menu Editor plugin. An attacker who has authenticated access as an Author or higher can inject arbitrary JavaScript that is stored and subsequently rendered in pages that include the impacted menu item. The stored payload executes whenever any site visitor loads the affected page, potentially allowing the attacker to steal credentials, hijack sessions, or deface content.

Affected Systems

The flaw exists in all versions of the Admin Menu Editor plugin for WordPress supplied by whiteshadow up to and including version 1.14. Newer releases are not indicated as affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of active exploitation at the time of the assessment. The vulnerability is not currently listed in the CISA KEV catalog. Attackers require authenticated access at the Contributor level or higher and must submit a payload via the placeholder field; once stored, the script runs in the context of any user who views the affected page. The exposed impact lies primarily in confidentiality and integrity of user sessions and the site’s UI.

Generated by OpenCVE AI on April 21, 2026 at 03:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Admin Menu Editor plugin to the latest released version that removes the placeholder vulnerability
  • Review and clean any existing menu items that include custom placeholder values containing user‑supplied content; delete or replace them
  • Enforce stricter role‑based access controls by limiting Contributor or Author permissions when the plugin is in use, or consider disabling the plugin if advanced menu editing is not required

Generated by OpenCVE AI on April 21, 2026 at 03:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared W-shadow
W-shadow admin Menu Editor
Wordpress
Wordpress wordpress
Vendors & Products W-shadow
W-shadow admin Menu Editor
Wordpress
Wordpress wordpress

Mon, 08 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Admin Menu Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder’ parameter in all versions up to, and including, 1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Admin Menu Editor <= 1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

W-shadow Admin Menu Editor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:43.156Z

Reserved: 2025-08-26T17:32:55.400Z

Link: CVE-2025-9493

cve-icon Vulnrichment

Updated: 2025-09-08T20:18:58.309Z

cve-icon NVD

Status : Deferred

Published: 2025-09-06T04:16:08.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses