Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt FoodMenu allows Reflected XSS. This issue affects FoodMenu: from n/a through 1.20.
Published: 2025-08-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in ZoomIt FoodMenu allows reflected XSS. Based on the description, it is inferred that an attacker can inject malicious JavaScript that executes in a victim’s browser when the page is rendered. This leads to potential session hijacking, credential theft, or defacement of the site, depending on the attacker’s goals. The weakness is a classic Input Validation error (CWE‑79).

Affected Systems

ZoomIt FoodMenu for WordPress, versions up to and including 1.20. Any WordPress installation deploying this plugin with a version ≤ 1.20 is vulnerable; no further version granular details are supplied.

Risk and Exploitability

The CVSS score of 7.1 marks this as a high‑severity vulnerability, and the EPSS score indicates a very low exploitation probability (<1%). The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack requires that a victim visits a crafted URL or otherwise submits malicious input that is reflected in the HTML output. Based on the description, it is inferred that user authentication is not required for exploitation, as the payload is delivered through the page rendering process.

Generated by OpenCVE AI on May 1, 2026 at 06:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ZoomIt FoodMenu to version 1.21 or later (or the latest release), ensuring the fix for the XSS issue is applied.
  • If an update is unavailable, remove the FoodMenu plugin from the WordPress site to eliminate the vulnerable code path.
  • As a temporary mitigation, configure WordPress to disable script execution in the user‑supplied content or implement a Web Application Firewall rule that blocks known XSS payload patterns in the FoodMenu output.

Generated by OpenCVE AI on May 1, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24736 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt FoodMenu allows Reflected XSS. This issue affects FoodMenu: from n/a through 1.20.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt FoodMenu dzs-restaurantmenu allows Reflected XSS.This issue affects FoodMenu: from n/a through <= 1.20. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt FoodMenu allows Reflected XSS. This issue affects FoodMenu: from n/a through 1.20.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt FoodMenu allows Reflected XSS. This issue affects FoodMenu: from n/a through 1.20. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt FoodMenu dzs-restaurantmenu allows Reflected XSS.This issue affects FoodMenu: from n/a through <= 1.20.
References

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt FoodMenu allows Reflected XSS. This issue affects FoodMenu: from n/a through 1.20.
Title WordPress FoodMenu <= 1.20 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:53.066Z

Reserved: 2025-03-11T08:11:02.522Z

Link: CVE-2025-29014

cve-icon Vulnrichment

Updated: 2025-08-14T19:43:58.147Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:32.180

Modified: 2026-04-28T19:30:14.237

Link: CVE-2025-29014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')