Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants vikrestaurants allows Stored XSS.This issue affects VikRestaurants: from n/a through <= 1.5.1.
Published: 2025-09-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to store malicious script code in the VikRestaurants plugin input fields, which is later rendered unescaped when the plugin outputs the data to web pages. This stored XSS flaw means that a determined attacker could inject JavaScript that executes in the browsers of any user who views the affected content, potentially leading to session hijacking, defacement, or further propagation of malicious payloads. The weakness is captured as CWE‑79.

Affected Systems

The issue affects the WordPress VikRestaurants plugin released by e4jvikwp. All versions from the earliest available release up to and including 1.5.1 are vulnerable. If your site is running the plugin at or below 1.5.1, it is affected.

Risk and Exploitability

The CVSS base score of 5.9 indicates a moderate severity, while the EPSS score of less than 1% suggests that exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is stored, any user (including ordinary visitors) can be influenced by an attacker who can supply content to the plugin’s fields. The benefit to the attacker is the execution of arbitrary JavaScript in the victim’s browser context.

Generated by OpenCVE AI on April 30, 2026 at 00:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the VikRestaurants plugin to version 1.5.2 or later, which removes the stored XSS flaw.
  • If an upgrade is not immediately possible, temporarily disable the VikRestaurants plugin to prevent exposure of the vulnerable input forms.
  • As a last resort, modify the plugin’s input handling code to escape all user‑supplied data before rendering, ensuring adherence to proper output encoding practices.

Generated by OpenCVE AI on April 30, 2026 at 00:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30686 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants Table Reservations and Take-Away allows Stored XSS. This issue affects VikRestaurants Table Reservations and Take-Away: from n/a through 1.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants Table Reservations and Take-Away allows Stored XSS. This issue affects VikRestaurants Table Reservations and Take-Away: from n/a through 1.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants vikrestaurants allows Stored XSS.This issue affects VikRestaurants: from n/a through <= 1.5.1.
Title WordPress VikRestaurants Table Reservations and Take-Away Plugin <= 1.4 - Cross Site Scripting (XSS) Vulnerability WordPress VikRestaurants Table Reservations and Take-Away plugin <= 1.5.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared E4jconnect
E4jconnect vikrestaurants Table Reservations And Take-away
Wordpress
Wordpress wordpress
Vendors & Products E4jconnect
E4jconnect vikrestaurants Table Reservations And Take-away
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants Table Reservations and Take-Away allows Stored XSS. This issue affects VikRestaurants Table Reservations and Take-Away: from n/a through 1.4.
Title WordPress VikRestaurants Table Reservations and Take-Away Plugin <= 1.4 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

E4jconnect Vikrestaurants Table Reservations And Take-away
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.351Z

Reserved: 2025-08-22T11:36:51.669Z

Link: CVE-2025-57962

cve-icon Vulnrichment

Updated: 2025-09-23T14:18:41.905Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:55.173

Modified: 2026-04-23T15:33:08.337

Link: CVE-2025-57962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:00:13Z

Weaknesses