Impact
The AVideo TopMenu plugin renders menu item fields—icon classes, URLs, and text labels—without proper output encoding. This flaw allows an attacker to inject malicious JavaScript that will be stored and executed on every visit to pages where the menu is rendered. The resultant script can steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The weakness is identified as CWE‑79, a classic stored cross‑site scripting attack.
Affected Systems
The vulnerability affects installations of the AVideo TopMenu plugin that use any version prior to a patched release. All sites running the plugin provide a menu editing interface and therefore expose the unescaped fields to potential exploitation.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate risk. No EPSS data is available and the flaw is not listed in CISA’s KEV catalog. The likely attack vector involves authenticated access to the menu‑item editing interface; once an attacker submits a payload, it is persisted and launched automatically for all visitors, regardless of their authentication state. Until the plugin is updated to a version that performs proper output encoding, the vulnerability remains a moderate threat that could lead to session hijacking or further compromise.
OpenCVE Enrichment