Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Scripts Food Store – Online Food Delivery & Pickup food-store allows Reflected XSS.This issue affects Food Store – Online Food Delivery & Pickup: from n/a through <= 1.5.4.
Published: 2025-01-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Food Store plugin contains an Improper Neutralization of Input during Web Page Generation flaw, known as Cross‑Site Scripting. This allows an attacker to inject arbitrary JavaScript into the browser of any visitor who follows a crafted link. Once the script runs, the attacker could steal the user's authentication cookies, perform actions on behalf of that user, or display malicious content. The weakness is formally classified as CWE‑79 and can compromise the confidentiality, integrity, and availability of user sessions.

Affected Systems

The vulnerability affects the WordPress plugin WP Scripts Food Store – Online Food Delivery & Pickup for all supported versions up to and including 1.5.4. The plugin is distributed by WP Scripts and commonly used on WordPress sites that provide online food ordering.

Risk and Exploitability

The CVSS base score of 7.1 classifies the flaw as moderate to high severity, and the EPSS score of less than 1% indicates a low probability of exploitation at any given time. The plugin has not been listed in the CISA KEV catalog, suggesting that no confirmed widespread exploitation incidents are public. The likely attack vector is a crafted URL that a victim follows, prompting the rendered page to execute injected JavaScript. No additional prerequisites are needed beyond the ability to convince a user to click a link.

Generated by OpenCVE AI on May 1, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Scripts Food Store to a version newer than 1.5.4 or apply the vendor’s security patch if available.
  • If an immediate upgrade is not possible, remove or disable the Food Store plugin until a fix is applied.
  • For sites that must remain online, implement input validation or sanitization on all parameters handled by the plugin to neutralize potential script payloads.

Generated by OpenCVE AI on May 1, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2714 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Scripts Food Store – Online Food Delivery & Pickup allows Reflected XSS.This issue affects Food Store – Online Food Delivery & Pickup: from n/a through 1.5.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Scripts Food Store – Online Food Delivery & Pickup allows Reflected XSS.This issue affects Food Store – Online Food Delivery & Pickup: from n/a through 1.5.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Scripts Food Store – Online Food Delivery & Pickup food-store allows Reflected XSS.This issue affects Food Store – Online Food Delivery & Pickup: from n/a through <= 1.5.4.
Title WordPress Food Store plugin <= 1.5.1 - Reflected Cross Site Scripting (XSS) vulnerability WordPress Food Store plugin <= 1.5.4 - Reflected Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 13 Jan 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Jan 2025 13:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Scripts Food Store – Online Food Delivery & Pickup allows Reflected XSS.This issue affects Food Store – Online Food Delivery & Pickup: from n/a through 1.5.1.
Title WordPress Food Store plugin <= 1.5.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:59.267Z

Reserved: 2025-01-03T13:16:10.261Z

Link: CVE-2025-22314

cve-icon Vulnrichment

Updated: 2025-01-13T13:45:24.877Z

cve-icon NVD

Status : Deferred

Published: 2025-01-13T14:15:10.270

Modified: 2026-06-17T08:46:23.853

Link: CVE-2025-22314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:45:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')