Stored Cross-Site Scripting Vulnerability in BP Direct Menus Plugin for WordPress
CVE-2025-10189
6.4MEDIUM
What is CVE-2025-10189?
The BP Direct Menus plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability. This issue arises from inadequate input sanitization and output escaping within the 'bpdm_login' shortcode, present in all versions up to and including 1.0.0. Authenticated attackers with contributor-level access or higher can exploit this vulnerability to inject arbitrary scripts into pages. These scripts are executed when users visit the affected pages, potentially compromising user data and site integrity.
Affected Version(s)
BP Direct Menus * <= 1.0.0