{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3868", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-22T14:49:46.619Z", "datePublished": "2025-04-25T06:45:28.347Z", "dateUpdated": "2026-04-08T16:48:42.156Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:42.156Z"}, "affected": [{"vendor": "codeandreload", "product": "Custom Admin-Bar Favorites", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Custom Admin-Bar Favorites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menuObject' parameter in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Custom Admin-Bar Favorites <= 0.1 - Reflected Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/417fb507-a414-4bc2-ab01-d6f2fc554350?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/abundatrade-plugin/tags/1.8.02/abundatrade_pugin.php"}, {"url": "https://wordpress.org/plugins/admin-bookmarks/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-04-24T18:32:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T15:43:24.765789Z", "id": "CVE-2025-3868", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T16:01:59.432Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3868", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-25T15:43:24.765789Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T15:43:26.264Z"}}], "cna": {"title": "Custom Admin-Bar Favorites <= 0.1 - Reflected Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Johannes Skamletz"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "codeandreload", "product": "Custom Admin-Bar Favorites", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-24T18:32:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/417fb507-a414-4bc2-ab01-d6f2fc554350?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/abundatrade-plugin/tags/1.8.02/abundatrade_pugin.php"}, {"url": "https://wordpress.org/plugins/admin-bookmarks/"}], "descriptions": [{"lang": "en", "value": "The Custom Admin-Bar Favorites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menuObject' parameter in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-25T06:45:28.347Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3868", "state": "PUBLISHED", "dateUpdated": "2025-04-25T16:01:59.432Z", "dateReserved": "2025-04-22T14:49:46.619Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-25T06:45:28.347Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom Admin-Bar Favorites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menuObject' parameter in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Custom Admin-Bar Favorites para WordPress es vulnerable a ataques de Cross-Site Scripting Reflejado a trav\u00e9s del par\u00e1metro 'menuObject' en todas las versiones hasta la 0.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar al usuario para que realice una acci\u00f3n, como hacer clic en un enlace."}], "id": "CVE-2025-3868", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-25T07:15:48.473", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/abundatrade-plugin/tags/1.8.02/abundatrade_pugin.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/admin-bookmarks/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/417fb507-a414-4bc2-ab01-d6f2fc554350?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:39:16.117131+00:00", "value": {"mitigation_remediation": ["Upgrade the Custom Admin\u2011Bar Favorites plugin to the latest version (beyond 0.1) or uninstall it if a patch is not available.", "If the plugin must remain active and no newer version exists, disable the menuObject parameter entirely or remove the affected code path, and enforce strict input validation and output escaping using WordPress\u2019s sanitization functions or a dedicated security plugin.", "Deploy a Content Security Policy that blocks inline scripts and whitelists only trusted script sources, reducing the damage of any reflected payload.", "Monitor logs for attempts to exploit the menuObject parameter and block suspicious traffic through web\u2011application firewall rules or rate\u2011limiting."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed the Custom Admin\u2011Bar Favorites plugin with a version 0.1 or earlier is affected. The vulnerability exists in the plugin\u2019s menu handling code and is triggered by the menuObject query string parameter present in the browser request. The plugin is distributed under the codeandreload vendor and can be found in the WordPress plugin repository or other third\u2011party listings.", "description_and_impact": "The Custom Admin\u2011Bar Favorites WordPress plugin, versions up to and including 0.1, accepts a user\u2011supplied parameter called menuObject that is neither properly sanitized nor escaped. This allows an attacker to inject arbitrary client\u2011side scripts when the parameter value is reflected in the page response. An unauthenticated attacker can therefore exploit the vulnerability simply by luring a victim to a crafted URL, leading to the execution of malicious JavaScript in the victim\u2019s browser. The impact includes theft of session cookies, credential phishing, or other malicious actions performed on behalf of the user. The weakness is a classic reflected Cross\u2011Site Scripting flaw identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. The EPSS rating of less than 1% suggests that exploitation is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web\u2011based malicious link that a user may click; exploiting it requires no authentication or privilege escalation, making the attack relatively accessible to casual threat actors."}}}}, "created": "2025-07-12T23:06:32.119578+00:00", "updated": "2026-04-22T01:45:05.622661+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}