This vulnerability is a stored Cross‑Site Scripting (XSS) flaw that occurs because user input is not properly neutralized before being included in generated web pages. An attacker can inject malicious JavaScript that will run whenever the affected page is viewed, potentially allowing defacement, cookie theft, or redirection of site visitors. The flaw enables an attacker to alter the presentation and behavior of the website for all users who access the vulnerable page.

The flaw affects the Advance Food Menu plugin developed by Md Abunaser Khan. Any installation using version 1.0 or earlier is vulnerable. The exact release numbers are unspecified beyond the upper bound of 1.0, so all releases up to that point require review.

The CVSS score of 5.9 indicates moderate severity. The EPSS score is below 1 %, suggesting that the likelihood of exploitation in the wild is low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely occur by supplying a crafted payload to a plugin input that is stored and later displayed to site visitors, so an attacker would need access to a functioning input endpoint—typically an administrator or user with permission to create or edit menu items. Because the user interface is web‑based, authenticated or even public access could be sufficient depending on how the plugin processes data.