jQuery Dropdown Menu CVE-2025-30560
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Sana Ullah jQuery Dropdown Menu allows Stored XSS. This issue affects jQuery Dropdown Menu: from n/a through 3.0.
AnalysisAI
Stored cross-site scripting (XSS) in jQuery Dropdown Menu WordPress plugin (versions up to 3.0) can be triggered via CSRF, allowing remote unauthenticated attackers to inject malicious scripts into the application when an authenticated administrator is tricked into submitting a crafted request. The vulnerability chains CSRF (CWE-352) with stored XSS, enabling persistent code execution in victim browsers with changed origin scope (S:C in CVSS vector). EPSS probability is low (0.04%, 12th percentile) indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.
Technical ContextAI
This is a chained vulnerability affecting the jQuery Dropdown Menu WordPress plugin, combining Cross-Site Request Forgery (CWE-352) with stored XSS. The CSRF weakness allows attackers to forge requests on behalf of authenticated users, while the XSS component enables persistent script injection into the application's data store. The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security scope, typical of XSS where injected scripts execute in victim browsers under the application's origin. WordPress plugins commonly suffer from CSRF vulnerabilities when admin functions lack proper nonce validation, and when user input from those requests is stored without sanitization, the result is stored XSS. The attack vector is network-based (AV:N) with low complexity (AC:L) but requires user interaction (UI:R), consistent with social engineering an administrator to click a malicious link or visit an attacker-controlled page while authenticated.
Affected ProductsAI
WordPress jQuery Dropdown Menu plugin by Sana Ullah, versions from initial release through 3.0. The Patchstack advisory references 'jquery-drop-down-menu-plugin' as the plugin slug. All WordPress installations running this plugin at version 3.0 or earlier are vulnerable. No CPE identifiers were provided in the vulnerability data, but the plugin is distributed through the WordPress.org plugin repository.
RemediationAI
Remove or replace the jQuery Dropdown Menu plugin with a maintained alternative, as version 3.0 appears to be the latest available and no patched version has been confirmed by vendor or Patchstack advisory (https://patchstack.com/database/wordpress/plugin/jquery-drop-down-menu-plugin/vulnerability/wordpress-jquery-dropdown-menu-plugin-3-0-csrf-to-stored-xss-vulnerability). If immediate removal is not feasible, implement compensating controls: restrict WordPress admin access to trusted IP addresses via server configuration or security plugins (reduces CSRF surface but does not eliminate risk from authenticated admins on allowed IPs), enforce Content Security Policy headers to limit inline script execution (mitigates XSS impact but may break legitimate plugin functionality - test thoroughly), and train administrators to recognize CSRF attacks (never click unknown links while logged into WordPress admin panel). These workarounds provide defense-in-depth but do not fully remediate the vulnerability. Monitor WordPress.org repository and Patchstack for updated security releases.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today