Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS.This issue affects Restaurante: from n/a through <= 3.0.7.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Restaurant theme by ayecode contains an input neutralization flaw that allows reflected XSS. Attackers can supply malicious payloads that are echoed back into the page without proper escaping, enabling clients to execute arbitrary JavaScript in the victim’s browser. This flaw lies in the content generation path and can lead to credential theft, session hijacking, or defacement of the site. The weakness is classed as CWE‑79.

Affected Systems

Web sites that use the ayecode Restaurante theme version 3.0.7 or earlier are vulnerable. The issues affect all releases from the first release (n/a) up through 3.0.7, inclusive. No other versions are listed as affected.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, classifying it as high severity. The current EPSS score is less than 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation pressure. The attack vector is likely a reflected XSS attack, where a malicious link or form parameter delivers a payload that is echoed back to the user's browser. The exploit requires only that a user visit a crafted URL or submit a crafted form; no authentication is required. Given the high impact and the fact that it can be triggered from an external source, the risk remains significant for exposed sites running vulnerable theme versions.

Generated by OpenCVE AI on April 30, 2026 at 04:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Restaurante theme to a version newer than 3.0.7 or a release that addresses this XSS flaw
  • If an update is not immediately possible, remove or disable any components that render user-supplied content governed by this theme
  • Configure a web application firewall to block reflected XSS payloads targeting this theme’s input points

Generated by OpenCVE AI on April 30, 2026 at 04:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Ayecode
Ayecode restaurante
Wordpress
Wordpress wordpress
Vendors & Products Ayecode
Ayecode restaurante
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS.This issue affects Restaurante: from n/a through <= 3.0.7.
Title WordPress Restaurante theme <= 3.0.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Ayecode Restaurante
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:18.297Z

Reserved: 2025-06-19T10:02:47.063Z

Link: CVE-2025-52746

cve-icon Vulnrichment

Updated: 2026-01-26T21:58:30.156Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:57.500

Modified: 2026-04-27T17:16:26.700

Link: CVE-2025-52746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:30:27Z

Weaknesses