A stored cross‑site scripting flaw exists in the Easy restaurant menu manager WordPress plugin. In versions up to 2.0.1, the plugin’s nsc_eprm_menu_link shortcode fails to properly sanitize or escape user‑supplied attributes, allowing attackers who can log in with contributor‑level privileges or higher to inject arbitrary JavaScript code. When a victim later views a page that contains the injected content, the malicious script executes in their browser, potentially compromising credentials, defacing content, or facilitating phishing attacks. The vulnerability is a classic example of CWE‑79, which affects confidentiality, integrity, and availability of user sessions.

The issue targets the Easy restaurant menu manager plugin by nikelschubert, a WordPress extension. All installations of the plugin in versions 2.0.1 and earlier are affected; newer releases are not listed as vulnerable in the current data.

The CVSS score of 6.4 indicates a medium severity risk. The EPSS score of less than 1 % signals a very low probability of exploitation at this time, and the vulnerability is not yet catalogued by CISA’s KEV list. However, because the flaw permits arbitrary script execution on authenticated pages, a determined contributor‑level attacker could exploit it if they gain access to a content member or the site’s administration interface. The attack likely requires the attacker to be able to add or edit a menu item that includes the vulnerable shortcode, after which the injected code will run for any user who views that item.