CVE-2021-25113: 
WordPress vulnerability analysis and mitigation

The Dropdown Menu Widget WordPress plugin through version 1.9.7 contains a security vulnerability identified as CVE-2021-25113. The vulnerability was discovered by Krzysztof Zając and was publicly disclosed on March 14, 2022. This security issue affects the plugin's settings functionality and impacts WordPress installations using the affected versions of the Dropdown Menu Widget plugin (WPScan Advisory).

The vulnerability stems from multiple security issues: lack of proper authorization checks, missing CSRF (Cross-Site Request Forgery) protections when saving settings, and inadequate input sanitization and escaping. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database).

The vulnerability allows low-privilege users, such as subscribers, to modify plugin settings and potentially execute stored Cross-Site Scripting (XSS) attacks. This could lead to unauthorized settings modifications and potential execution of malicious JavaScript code in users' browsers when viewing affected pages (WPScan Advisory).

As of the latest available information, there is no known fix for this vulnerability. Website administrators using the Dropdown Menu Widget plugin version 1.9.7 or earlier should consider either removing the plugin or implementing additional security controls to restrict access to the plugin's settings pages (WPScan Advisory).