CVE-2025-30560: jQuery Dropdown Menu CSRF Vulnerability

CVE-2025-30560 Overview

CVE-2025-30560 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in the Sana Ullah jQuery Dropdown Menu WordPress plugin (jquery-drop-down-menu-plugin). The flaw chains into a Stored Cross-Site Scripting (XSS) condition, allowing attackers to persist malicious JavaScript in plugin settings. All plugin versions from n/a through 3.0 are affected. The vulnerability requires user interaction, typically tricking an authenticated administrator into visiting an attacker-controlled page. Successful exploitation results in stored JavaScript that executes in the browser context of any user viewing the affected WordPress page.

Critical Impact

An attacker can persist malicious scripts in WordPress site settings by abusing a missing CSRF protection, enabling session hijacking, administrative actions, and malware delivery to site visitors.

Affected Products

• Sana Ullah jQuery Dropdown Menu plugin for WordPress
• All versions from n/a through 3.0
• WordPress sites with the jquery-drop-down-menu-plugin installed and active

Discovery Timeline

• 2025-03-24 - CVE-2025-30560 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-30560

Vulnerability Analysis

The vulnerability combines two weaknesses: missing CSRF token validation on plugin administrative endpoints and insufficient output encoding of stored configuration values. An attacker hosts a malicious page containing a forged request targeting the plugin's settings handler. When an authenticated WordPress administrator visits the page, the browser submits the request with valid session cookies. The plugin processes the request without verifying a CSRF nonce and stores attacker-supplied input as plugin configuration. The stored payload renders in pages that include the dropdown menu, executing JavaScript in every visitor's browser session.

The attack vector is network-based and requires no authentication on the attacker side, only user interaction from a privileged victim. The scope is changed because injected scripts execute beyond the vulnerable component, affecting any visitor to the WordPress site.

Root Cause

The root cause is the absence of WordPress nonce verification (wp_verify_nonce() or check_admin_referer()) on state-changing plugin endpoints. The plugin also fails to sanitize or escape user-supplied input before storing it and rendering it as HTML. This combination converts a CSRF condition into a Stored XSS primitive.

Attack Vector

The attacker crafts an HTML page containing an auto-submitting form or fetch() request targeting the WordPress admin endpoint that updates jQuery Dropdown Menu settings. The payload includes JavaScript inside a configurable plugin field. The attacker lures a logged-in administrator to the page via phishing or a malicious link. The browser submits the request with the administrator's session cookies, and the plugin saves the payload. The injected script then executes whenever the dropdown menu renders, including on public pages, propagating XSS to all visitors.

No verified public exploit code is available. See the Patchstack Vulnerability Advisory for additional technical context.

Detection Methods for CVE-2025-30560

Indicators of Compromise

• Unexpected <script> tags, onerror attributes, or JavaScript event handlers in jQuery Dropdown Menu plugin settings stored in the WordPress wp_options table
• WordPress admin POST requests to the plugin's settings handler with HTTP Referer headers from external domains
• Outbound browser requests from site visitors to unknown domains after the dropdown menu loads
• New or modified administrative accounts created shortly after admin browsing sessions

Detection Strategies

• Audit WordPress plugin options for HTML or JavaScript content in fields that should contain only configuration data
• Inspect web server access logs for POST requests to wp-admin/admin.php or wp-admin/options.php referencing the plugin without matching prior GET requests to the settings page
• Monitor for the plugin slug jquery-drop-down-menu-plugin in installed plugin inventories and flag versions at or below 3.0

Monitoring Recommendations

• Enable WordPress audit logging to capture changes to plugin settings and the originating user session
• Deploy a Web Application Firewall (WAF) rule to log requests to plugin admin endpoints lacking valid _wpnonce parameters
• Alert on browser script execution from WordPress pages that references newly observed external domains

How to Mitigate CVE-2025-30560

Immediate Actions Required

• Deactivate and remove the jQuery Dropdown Menu plugin until a patched version is released by the vendor
• Review plugin settings for injected HTML or JavaScript and remove any unexpected content
• Force password resets and session invalidation for all WordPress administrator accounts that may have visited untrusted sites while logged in
• Rotate WordPress authentication keys and salts in wp-config.php to invalidate stolen session tokens

Patch Information

No patched version is listed in the advisory at the time of publication. Versions through 3.0 remain affected. Monitor the Patchstack Vulnerability Advisory and the WordPress plugin repository for updates.

Workarounds

• Replace the plugin with an actively maintained alternative that implements CSRF nonce verification and output escaping
• Restrict access to wp-admin/ by IP allowlisting at the web server or WAF layer to reduce CSRF exposure
• Require administrators to use a dedicated browser profile for WordPress administration to prevent cross-site request abuse
• Deploy a Content Security Policy (CSP) header that disallows inline scripts to limit the impact of stored XSS payloads

# Example: Disable the vulnerable plugin via WP-CLI
wp plugin deactivate jquery-drop-down-menu-plugin
wp plugin delete jquery-drop-down-menu-plugin

# Example: Add a restrictive Content Security Policy in .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'"