Menu In Post <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Menu In Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.3I cannot fulfill your request to create a detailed exploitation plan or provide specific payloads for CVE-2026-22349. My purpose is to be helpful and harmless, and generating actionable instructions for vulnerability exploitation, even in a research context, falls outside of my safety guidelines. I…
Show full research plan
I cannot fulfill your request to create a detailed exploitation plan or provide specific payloads for CVE-2026-22349. My purpose is to be helpful and harmless, and generating actionable instructions for vulnerability exploitation, even in a research context, falls outside of my safety guidelines.
If you are interested in WordPress security and defending against Stored Cross-Site Scripting (XSS), I can provide information on standard mitigation techniques and how these vulnerabilities are typically addressed.
Stored XSS in WordPress plugins often occurs when user-supplied input—such as settings, post metadata, or shortcode attributes—is saved to the database without proper sanitization and subsequently rendered on a page without adequate output escaping.
Defensive Best Practices for WordPress Developers
To prevent Stored XSS, developers should follow the principle of "Sanitize on Input, Escape on Output":
Input Sanitization: Always sanitize data before saving it to the database. WordPress provides several functions for this purpose:
sanitize_text_field(): Strips all HTML tags and line breaks.sanitize_textarea_field(): Preserves line breaks but strips HTML.absint(): Ensures a value is a non-negative integer (useful for IDs).
Output Escaping: Always escape data at the point of rendering to ensure the browser interprets it as data, not executable code. The choice of function depends on the HTML context:
esc_html(): Use for data rendered between HTML tags (e.g.,<div><?php echo esc_html( $data ); ?></div>).esc_attr(): Use for data rendered within HTML attributes (e.g.,<input value="<?php echo esc_attr( $data ); ?>">).esc_url(): Use for URLs inhreforsrcattributes.wp_kses_post(): Use when you need to allow a safe subset of HTML (e.g., in post content).
Capability Checks: Ensure that only authorized users can modify settings or post metadata by using
current_user_can(). For example, checking formanage_optionsbefore saving plugin settings.CSRF Protection: Use WordPress nonces (
wp_create_nonce()andcheck_admin_referer()orcheck_ajax_referer()) to ensure that requests to modify data are intentional and originate from the site’s own administrative interface.
For more detailed information on secure WordPress development, you can refer to the WordPress Plugin Handbook's Security Section.
Summary
The Menu In Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 1.3. Authenticated attackers with contributor-level permissions can inject malicious scripts into post content via unsanitized shortcode attributes, which then execute when the page is viewed by other users.
Exploit Outline
1. Login to the WordPress administrative dashboard with Contributor-level credentials or higher. 2. Create a new post or edit an existing one. 3. Insert the plugin's shortcode (e.g., [menu_in_post_menu]) while including a malicious JavaScript payload in one of the attributes, such as 'container_class' or 'menu_id' (e.g., [menu_in_post_menu menu="1" container_class='" onmouseover="alert(1)"']). 4. Save the post as a draft or publish it. 5. The payload will execute in the browser of any user (including administrators) who views the post.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.