CVE-2025-9540: 
WordPress vulnerability analysis and mitigation

The Markup Markdown WordPress plugin before version 3.20.10 contains a Stored Cross-Site Scripting (XSS) vulnerability that affects users with contributor-level access and above. The vulnerability was discovered on September 1, 2025, and was assigned CVE-2025-9540 (WPScan, NVD).

The vulnerability stems from insufficient input validation where the plugin allows links to contain JavaScript code. This creates a security weakness that could be exploited through stored XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L (NVD).

When exploited, this vulnerability allows authenticated users with contributor-level access or higher to inject malicious JavaScript code into posts through markdown links. When other users view the affected posts and click on the manipulated links, the injected JavaScript code executes in their browsers, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

The vulnerability has been patched in version 3.20.10 of the Markup Markdown plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).