CVE-2025-3868: 
WordPress vulnerability analysis and mitigation

The Custom Admin-Bar Favorites plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-3868) discovered in April 2025. The vulnerability affects all versions up to and including 0.1, and is caused by insufficient input sanitization and output escaping in the 'menuObject' parameter. The plugin has been temporarily closed as of April 24, 2025, pending a full security review (NVD Database, WordPress Plugin).

The vulnerability is classified as a Reflected Cross-Site Scripting (CWE-79) issue. It has received a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires no privileges to exploit, but does need user interaction, and can potentially lead to limited confidentiality and integrity impacts (NVD Database).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could potentially lead to the compromise of user sessions, theft of sensitive information, or manipulation of the affected WordPress installation's admin interface (NVD Database).

As of April 24, 2025, the plugin has been temporarily closed and is not available for download pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).