CVE-2025-13071 - Vulnerability Details

The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wordpress	Wordpress

No data.

References

Link	Providers
https://wpscan.com/vulnerability/83c47c58-0395-4224-beaa-2f64ed92ef16/

History

Wed, 10 Dec 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Tue, 09 Dec 2025 06:15:00 +0000

Type	Values Removed	Values Added
Description		The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Title		Custom Admin Menu <= 1.0.0 - Reflected XSS
References		https://wpscan.com/vulnerability/83c47c58-0395-4224-beaa-2f64ed92ef16/

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2025-12-09T06:00:08.538Z

Updated: 2025-12-09T06:00:08.538Z

Reserved: 2025-11-12T14:45:05.083Z

Link: CVE-2025-13071

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-12-09T16:17:35.200

Modified: 2025-12-09T18:37:13.640

Link: CVE-2025-13071

Redhat

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object