Reflected Cross-Site Scripting Vulnerability in Custom Admin-Bar Favorites for WordPress
CVE-2025-3868

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Custom Admin-bar Favorites
Vendor: CVE Published:; 25 April 2025

What is CVE-2025-3868?

The Custom Admin-Bar Favorites plugin for WordPress is prone to a Reflected Cross-Site Scripting vulnerability through the 'menuObject' parameter. This flaw arises from inadequate input sanitization and output escaping, enabling potential attackers to inject arbitrary scripts into web pages. If a user is tricked into clicking a compromised link, these scripts could be executed, exposing sensitive information and compromising site integrity. Users are advised to update to the latest plugin version and implement security best practices to mitigate risks.

Affected Version(s)

Custom Admin-Bar Favorites * <= 0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/abundatrade-pl...

https://wordpress.org/plugins/admin-bookmarks/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 25, 2025
Vulnerability Reserved
Apr 22, 2025

Credit

Johannes Skamletz