Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9.
Published: 2026-01-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation, allowing reflected XSS within the Grand Restaurant theme. An attacker can embed malicious scripts in URLs or input fields that are reflected back to the browser, potentially leading to cookie theft, session hijacking, defacement, or malicious code execution within the context of the site.

Affected Systems

All WordPress sites that employ the ThemeGoods Grand Restaurant theme in a version earlier than 7.0.9 are affected. The theme is distributed through the WordPress ecosystem under the ThemeGoods brand and is commonly found in restaurants and hospitality websites that rely on it for their front‑end presentation.

Risk and Exploitability

The CVSS score of 7.1 marks the vulnerability as high severity. The EPSS score of less than 1% indicates a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the delivery of a crafted URL or form input that the theme reflects without proper sanitization, giving the attacker an opportunity to inject JavaScript into the user’s browser.

Generated by OpenCVE AI on April 29, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grand Restaurant theme to 7.0.9 or later.
  • If a timely upgrade is not possible, throttle or remove any theme‑provided inputs that accept user content without sanitization, and apply WordPress’s sanitize_* functions in custom code.
  • Deploy a Content Security Policy that limits script execution to trusted sources to mitigate any residual XSS risk.

Generated by OpenCVE AI on April 29, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:themegoods:grand_restaurant:*:*:*:*:*:wordpress:*:*

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods grand Restaurant
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods grand Restaurant
Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9.
Title WordPress Grand Restaurant theme < 7.0.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themegoods Grand Restaurant
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:23.535Z

Reserved: 2025-12-15T09:59:49.436Z

Link: CVE-2025-67922

cve-icon Vulnrichment

Updated: 2026-01-08T14:55:12.948Z

cve-icon NVD

Status : Modified

Published: 2026-01-08T10:15:51.220

Modified: 2026-04-27T18:16:49.330

Link: CVE-2025-67922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:45:16Z

Weaknesses