CVE-2025-9541: 
WordPress vulnerability analysis and mitigation

The Markup Markdown WordPress plugin before version 3.20.10 contains a stored Cross-Site Scripting (XSS) vulnerability that affects users with contributor role and above. The vulnerability was discovered on September 1, 2025, and was assigned CVE-2025-9541 (WPScan, NVD).

The vulnerability allows links to contain JavaScript which could enable users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. The CVSS v3.1 base score is 4.7 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L. A proof of concept demonstrates that an attacker can create a new post using a Contributor account and insert a malicious payload in the form of [![Uh oh...]("onerror="alert('XSS'))] which executes when the post is viewed (WPScan).

When successfully exploited, this vulnerability allows authenticated users with contributor-level access to inject and execute malicious JavaScript code in the context of other users' browsers who view the affected posts. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

Users should upgrade their Markup Markdown WordPress plugin to version 3.20.10 or later, which contains the fix for this vulnerability (WPScan).