{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13704", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-25T21:45:09.181Z", "datePublished": "2026-01-09T11:15:34.128Z", "dateUpdated": "2026-04-08T17:13:27.278Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:27.278Z"}, "affected": [{"vendor": "amirshk", "product": "Autogen Headers Menu", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Autogen Headers Menu <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'head_class' Shortcode Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a63bf106-78cf-441b-a1b3-77ec1cf6c22b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L53"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2026-01-08T21:56:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T17:51:02.116475Z", "id": "CVE-2025-13704", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T17:52:39.497Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13704", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T17:51:02.116475Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T17:52:09.528Z"}}], "cna": {"title": "Autogen Headers Menu <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'head_class' Shortcode Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "amirshk", "product": "Autogen Headers Menu", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-08T21:56:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a63bf106-78cf-441b-a1b3-77ec1cf6c22b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L53"}], "descriptions": [{"lang": "en", "value": "The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:27.278Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13704", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:27.278Z", "dateReserved": "2025-11-25T21:45:09.181Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T11:15:34.128Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Autogen Headers Menu para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'head_class' del shortcode 'autogen_menu' en todas las versiones hasta la 1.0.1, ambas inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-13704", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T12:15:51.583", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L115"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L53"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L115"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L53"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a63bf106-78cf-441b-a1b3-77ec1cf6c22b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:28:42.204347+00:00", "value": {"mitigation_remediation": ["Upgrade the Autogen Headers Menu plugin to a version newer than 1.0.1 that implements proper input validation and output escaping for the head_class parameter.", "If an upgrade is not immediately possible, remove or disable the autogen_menu shortcode from all pages or restrict its usage to trusted administrators only.", "Implement a review process to audit pages for the presence of the vulnerable shortcode and ensure no malicious code has been injected."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting via non\u2011sanitized shortcode parameter that allows exfiltration of user data or session hijacking"}, "threat_synthesis": {"affected_systems": "WordPress sites running any version of the Autogen Headers Menu plugin up to and including 1.0.1 are affected. The plugin is released under the vendor amirshk and the vulnerability exists in all code revisions before 1.0.2, if available.", "description_and_impact": "The Autogen Headers Menu plugin can store malicious scripts in the database through the head_class attribute of its autogen_menu shortcode. When a user visits a page containing that shortcode, the injected script runs in the user\u2019s browser, potentially enabling cookie theft, session hijacking, and other client\u2011side compromise. The flaw is a classic stored XSS (CWE\u201179) with no server\u2011side validation or escaping.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires authenticated access with at least Contributor privileges, after which an attacker can inject arbitrary JavaScript via the head_class parameter and have it persist for all visitors to the affected page. This makes the attack vector authenticated but not highly privileged, and only possible on pages that already use the compromised shortcode."}}}}, "created": "2026-01-09T13:23:36.598283+00:00", "updated": "2026-04-21T00:30:22.979708+00:00", "vendors": ["amirshk", "amirshk$PRODUCT$autogen_headers_menu", "wordpress", "wordpress$PRODUCT$wordpress"]}