What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS.This issue affects Menu In Post: from n/a through <= 1.4.1.
Explanation of Vulnerability in Simple Terms
02Summary
Menu In Post versions up to 1.4.1 contain a stored cross-site scripting (XSS) vulnerability. An authenticated user with low privileges can inject malicious scripts into menu content. When other users view the affected menu, the scripts execute in their browsers, potentially allowing the attacker to steal session tokens, redirect users, or perform actions on their behalf.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute when other users view the menu, stealing sessions or performing unauthorized actions.
Potential impact on your site
04Site Impact
Authenticated users can inject persistent malicious code affecting all site visitors who view menus, compromising user sessions and data.
Conditions required to exploit
05Prerequisites
Attacker needs a low-privilege user account and must trick a victim into viewing the affected menu content.
Key dates
06Disclosure timeline
January 22, 2026
CVE published
April 28, 2026
Record updated