Improper neutralization of input during web page generation allows the Simple Restaurant Menu plugin to store malicious JavaScript payloads within menu data. The resulting stored cross‑site scripting causes code to run whenever a page that displays the menu is viewed. Based on the description, the attack likely requires the attacker to add or modify menu items through the plugin’s editing interface, which is inferred rather than explicitly stated in the source.

WordPress sites that have installed the Simple Restaurant Menu plugin version 1.2 or earlier are vulnerable. The plugin is distributed by Will.I.am; the flaw exists from the earliest release through 1.2 and affects any site that allows users to edit menu content.

The CVSS score of 5.9 indicates medium severity. The EPSS score of less than 1 % suggests a very low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need a way to inject script into stored menu content, typically by having sufficient permissions to edit menus; once stored, the script executes in the browsers of all users who view the menu. The risk is confined to the client side and does not provide system compromise, yet it can affect user sessions and potentially exfiltrate information from the victim’s browser.