Improper Neutralization of Input During Web Page Generation is present in the e4jvikwp VikRestaurants WordPress plugin. The flaw allows attackers to inject malicious script into the web page that is rendered back to a user, yielding a Reflected Cross-site Scripting vulnerability. An attacker could embed JavaScript that steals browser cookies, performs phishing, or defaces the site when a legitimate user visits the manipulated page. The impact on confidentiality, integrity, and availability is limited to the victim user’s browser session and any users who visit a crafted URL, but the resulting compromise can extend to account takeover or sabotage of the site’s appearance.

The vulnerability affects the VikRestaurants table reservations and take‑away plugin for WordPress, specifically all published releases up to and including version 1.5. Source code and installer packages available through the official WordPress plugin repository are potentially impacted.

The CVSS score of 7.1 indicates that the flaw is moderately high severity, providing a substantial attack surface. The EPSS score is below 1 %, suggesting that the estimated exploitation rate is very low at present. The vulnerability is not listed in the CISA KEV catalog, so there is no indication of known active exploitation. The attack vector is inferred to be remote, relying on a crafted URL that is viewed by a user with the plugin enabled. Because the plugin is a WordPress component that is widely used for dining reservations, the risk may be amplified in high-traffic or high-value sites, though the low EPSS score limits likely real‑world exploitation.