Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS.This issue affects Menu In Post: from n/a through <= 1.4.1.
Published: 2026-01-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site XSS (DOM‑Based)
Action: Patch Now
AI Analysis

Impact

The vulnerability is a DOM‑Based Cross‑Site Scripting flaw in the Menu In Post WordPress plugin. An attacker can inject malicious JavaScript that will execute when a user views a post that contains the plugin, allowing the attacker to run arbitrary code in the victim’s browser. The vulnerability results from improper sanitization of user input before rendering the page. While the CVE description does not list specific downstream effects, it is inferred that the ability to execute code in the client context could enable session hijacking, data theft, or content defacement; these consequences are typical outcomes of XSS but are not directly stated in the CVE.

Affected Systems

This issue affects the WordPress plugin Menu In Post from vendor linux4me2, for all releases up to and including version 1.4.1. Any WordPress site that has installed a vulnerable version of the plugin is at risk. Versions newer than 1.4.1, if released, presumably contain the fix.

Risk and Exploitability

The base CVSS score of 5.4 classifies the vulnerability as moderate, and the EPSS score of less than 1 % suggests a low likelihood of widespread exploitation at present. The attack vector is client‑side DOM manipulation and does not require authentication; any user who views a post containing attacker‑sourced input could be impacted. The vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation. Given these metrics, administrators should treat the same as a moderate risk that warrants prompt remediation.

Generated by OpenCVE AI on April 18, 2026 at 03:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Menu In Post plugin to the latest available version that removes the XSS flaw.
  • If no recent version is available, disable or uninstall the plugin to prevent the flaw from being used.
  • Sanitize or delete any content that may contain malicious scripts introduced by the plugin and review existing posts for injected code.

Generated by OpenCVE AI on April 18, 2026 at 03:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS.This issue affects Menu In Post: from n/a through <= 1.4.1.
Title WordPress Menu In Post plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:34.513Z

Reserved: 2026-01-07T12:21:19.919Z

Link: CVE-2026-22349

cve-icon Vulnrichment

Updated: 2026-01-23T19:16:33.910Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:31.490

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses