Skip to main content

jQuery Dropdown Menu CVE-2025-30560

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-24 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:16 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Sana Ullah jQuery Dropdown Menu allows Stored XSS. This issue affects jQuery Dropdown Menu: from n/a through 3.0.

AnalysisAI

Stored cross-site scripting (XSS) in jQuery Dropdown Menu WordPress plugin (versions up to 3.0) can be triggered via CSRF, allowing remote unauthenticated attackers to inject malicious scripts into the application when an authenticated administrator is tricked into submitting a crafted request. The vulnerability chains CSRF (CWE-352) with stored XSS, enabling persistent code execution in victim browsers with changed origin scope (S:C in CVSS vector). EPSS probability is low (0.04%, 12th percentile) indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

This is a chained vulnerability affecting the jQuery Dropdown Menu WordPress plugin, combining Cross-Site Request Forgery (CWE-352) with stored XSS. The CSRF weakness allows attackers to forge requests on behalf of authenticated users, while the XSS component enables persistent script injection into the application's data store. The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security scope, typical of XSS where injected scripts execute in victim browsers under the application's origin. WordPress plugins commonly suffer from CSRF vulnerabilities when admin functions lack proper nonce validation, and when user input from those requests is stored without sanitization, the result is stored XSS. The attack vector is network-based (AV:N) with low complexity (AC:L) but requires user interaction (UI:R), consistent with social engineering an administrator to click a malicious link or visit an attacker-controlled page while authenticated.

Affected ProductsAI

WordPress jQuery Dropdown Menu plugin by Sana Ullah, versions from initial release through 3.0. The Patchstack advisory references 'jquery-drop-down-menu-plugin' as the plugin slug. All WordPress installations running this plugin at version 3.0 or earlier are vulnerable. No CPE identifiers were provided in the vulnerability data, but the plugin is distributed through the WordPress.org plugin repository.

RemediationAI

Remove or replace the jQuery Dropdown Menu plugin with a maintained alternative, as version 3.0 appears to be the latest available and no patched version has been confirmed by vendor or Patchstack advisory (https://patchstack.com/database/wordpress/plugin/jquery-drop-down-menu-plugin/vulnerability/wordpress-jquery-dropdown-menu-plugin-3-0-csrf-to-stored-xss-vulnerability). If immediate removal is not feasible, implement compensating controls: restrict WordPress admin access to trusted IP addresses via server configuration or security plugins (reduces CSRF surface but does not eliminate risk from authenticated admins on allowed IPs), enforce Content Security Policy headers to limit inline script execution (mitigates XSS impact but may break legitimate plugin functionality - test thoroughly), and train administrators to recognize CSRF attacks (never click unknown links while logged into WordPress admin panel). These workarounds provide defense-in-depth but do not fully remediate the vulnerability. Monitor WordPress.org repository and Patchstack for updated security releases.

Share

CVE-2025-30560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy