CVE-2025-3748: 
WordPress vulnerability analysis and mitigation

The Taxonomy Chain Menu plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-3748) affecting all versions up to and including 1.0.8. The vulnerability was discovered in the plugin's pnchainmenu shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. The issue was reported by Peter Thaleikis through Wordfence and was patched in version 2.0.9, released on April 29, 2025 (NVD, Wiz).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) according to Wordfence's assessment, while NVD rates it at 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The security flaw stems from improper neutralization of input during web page generation in the pnchainmenu shortcode functionality (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising the security of site visitors (NVD).

The vulnerability has been patched in version 2.0.9 of the Taxonomy Chain Menu plugin. Users are strongly advised to update to this latest version. The update includes security fixes specifically addressing the XSS vulnerability, and notably makes all premium features freely available (WordPress Plugin).

The plugin developers responded promptly to the security report and released version 2.0.9, which not only fixes the security vulnerability but also makes all premium features freely available. The update was acknowledged with credits to Peter Thaleikis and Wordfence for responsible disclosure (WordPress Plugin).