Stored Cross-Site Scripting in Admin Menu Editor Plugin for WordPress
CVE-2025-9493

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Admin Menu Editor
Vendor: CVE Published:; 6 September 2025

What is CVE-2025-9493?

The Admin Menu Editor plugin for WordPress is susceptible to Stored Cross-Site Scripting due to a lack of proper input sanitization and output escaping in the 'placeholder' parameter. This vulnerability allows authenticated attackers, with an Author-level access or higher, to inject malicious web scripts into pages. These scripts execute whenever other users access an affected page, posing a significant risk to site integrity and user safety. It is crucial for users of the plugin to update to the latest version to mitigate this threat.

Affected Version(s)

Admin Menu Editor * <= 1.14

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/admin-menu-edi...

https://wordpress.org/plugins/admin-menu-editor/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 6, 2025
Vulnerability Reserved
Aug 26, 2025

Credit

Muhammad Yudha - DJ