Platform
wordpress
Component
vikrestaurants
Fixed in
1.5.3
CVE-2026-25025 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the VikRestaurants WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions from 0.0.0 up to and including 1.5.2, but a patch is available in version 1.5.3.
An attacker exploiting this XSS vulnerability can inject arbitrary JavaScript code into the VikRestaurants plugin's output. This code can then be executed in the context of a victim's browser when they visit a specially crafted URL. The impact ranges from simple annoyance (displaying misleading content) to severe consequences like session hijacking, credential theft, and redirection to malicious websites. Successful exploitation could allow an attacker to impersonate legitimate users, gain access to sensitive data stored within the WordPress site, or even deface the website. The scope of the attack is limited to users who interact with the vulnerable VikRestaurants plugin, but a popular plugin increases the potential attack surface.
CVE-2026-25025 was publicly disclosed on 2026-03-25. There is no indication of this vulnerability being actively exploited in the wild at this time. No public proof-of-concept (PoC) code has been released, but the nature of Reflected XSS vulnerabilities makes it relatively easy to develop a PoC. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25025 is to immediately upgrade the VikRestaurants plugin to version 1.5.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include input validation and output encoding on user-supplied data within the plugin's templates. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of defense. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through a vulnerable parameter and confirming that the script is not executed.
Update to version 1.5.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25025 is a Reflected XSS vulnerability in the VikRestaurants WordPress plugin allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using VikRestaurants version 0.0.0 through 1.5.2. Upgrade to 1.5.3 or later to resolve the issue.
Upgrade the VikRestaurants plugin to version 1.5.3 or later. Consider temporary workarounds like input validation and output encoding if immediate upgrade is not possible.
There is currently no evidence of active exploitation of CVE-2026-25025 in the wild.
Refer to the official VikRestaurants website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.