CVE-2025-49035: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Admin Menu Groups WordPress plugin, tracked as CVE-2025-49035. The vulnerability affects versions through 0.1.2 of the Admin Menu Groups plugin developed by chaimchaikin. This security issue was discovered and disclosed on August 27, 2025 (NVD, Patchstack).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It has received a CVSS v3.1 base score of 5.9 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), high privileges (PR:H), and user interaction (UI:R). The scope is changed (S:C), with low impacts on confidentiality, integrity, and availability (NVD, AttackerKB).

The vulnerability allows attackers to inject malicious scripts, which could lead to various consequences including redirects, unauthorized advertisements, and execution of arbitrary HTML payloads when users visit the affected site. The impact is considered medium severity due to the requirement of high privileges and user interaction (Patchstack).

Currently, there is no official fix available for this vulnerability as the software appears to be abandoned. The last update was over a year ago, and it's unlikely to receive further updates. The recommended mitigation is to remove and replace the affected plugin with an alternative solution (Patchstack).