CVE-2025-3748
📋 TL;DR
The Taxonomy Chain Menu WordPress plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users visit the compromised pages, potentially stealing credentials, session cookies, or redirecting users to malicious sites. All WordPress sites using this plugin up to version 1.0.8 are affected.
💻 Affected Systems
- WordPress Taxonomy Chain Menu plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the website, or redirect visitors to malware distribution sites.
Likely Case
Attackers with contributor access inject malicious JavaScript to steal session cookies or user credentials, potentially compromising user accounts and sensitive data.
If Mitigated
With proper user access controls and content security policies, the impact is limited to potential defacement or limited data exposure from affected pages.
🎯 Exploit Status
Exploitation requires authenticated access (contributor or higher). The vulnerability is in the pn_chain_menu shortcode where user-supplied attributes are not properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.9
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3284354/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Taxonomy Chain Menu' and check if update is available. 4. Click 'Update Now' to upgrade to version 1.0.9 or later. 5. Verify the plugin is updated to at least version 1.0.9.
🔧 Temporary Workarounds
Disable the plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate taxonomy-chain-menu
Remove contributor access
linuxTemporarily restrict contributor-level access to trusted users only
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use web application firewall (WAF) rules to block XSS payloads in shortcode attributes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Taxonomy Chain Menu version. If version is 1.0.8 or lower, you are vulnerable.Check Version:
wp plugin get taxonomy-chain-menu --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.0.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode usage in post/page content
- Multiple failed login attempts followed by successful contributor login
- Posts/pages with suspicious JavaScript in content
Network Indicators:
- Outbound connections to suspicious domains from WordPress pages
- Unexpected JavaScript loading from third-party domains
SIEM Query:
source="wordpress" AND ("pn_chain_menu" OR "taxonomy-chain-menu") AND ("script" OR "javascript" OR "onclick" OR "onload")🔗 References
- https://plugins.trac.wordpress.org/browser/taxonomy-chain-menu/trunk/index.php#L190
- https://plugins.trac.wordpress.org/changeset/3284354/
- https://wordpress.org/plugins/taxonomy-chain-menu/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/25afc28c-2814-4b49-add5-1d0ce5ff3a07?source=cve
