Plataforma
wordpress
Componente
vikrestaurants
Corrigido em
1.5.3
CVE-2026-25025 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the VikRestaurants WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions from 0.0.0 up to and including 1.5.2, but a patch is available in version 1.5.3.
An attacker exploiting this XSS vulnerability can inject arbitrary JavaScript code into the VikRestaurants plugin's output. This code can then be executed in the context of a victim's browser when they visit a specially crafted URL. The impact ranges from simple annoyance (displaying misleading content) to severe consequences like session hijacking, credential theft, and redirection to malicious websites. Successful exploitation could allow an attacker to impersonate legitimate users, gain access to sensitive data stored within the WordPress site, or even deface the website. The scope of the attack is limited to users who interact with the vulnerable VikRestaurants plugin, but a popular plugin increases the potential attack surface.
CVE-2026-25025 was publicly disclosed on 2026-03-25. There is no indication of this vulnerability being actively exploited in the wild at this time. No public proof-of-concept (PoC) code has been released, but the nature of Reflected XSS vulnerabilities makes it relatively easy to develop a PoC. The vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the VikRestaurants WordPress plugin, particularly those with user input fields that are not properly sanitized, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a successful exploit on one site could potentially impact others.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/vikrestaurants/*• wordpress / composer / npm:
wp plugin list --status=all | grep vikrestaurants• wordpress / composer / npm:
wp plugin update vikrestaurants• generic web: Inspect URL parameters for suspicious characters or script tags when accessing VikRestaurants plugin features. • generic web: Review WordPress error logs for any JavaScript errors related to VikRestaurants.
disclosure
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-25025 is to immediately upgrade the VikRestaurants plugin to version 1.5.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include input validation and output encoding on user-supplied data within the plugin's templates. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of defense. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through a vulnerable parameter and confirming that the script is not executed.
Update to version 1.5.3, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-25025 is a Reflected XSS vulnerability in the VikRestaurants WordPress plugin allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using VikRestaurants version 0.0.0 through 1.5.2. Upgrade to 1.5.3 or later to resolve the issue.
Upgrade the VikRestaurants plugin to version 1.5.3 or later. Consider temporary workarounds like input validation and output encoding if immediate upgrade is not possible.
There is currently no evidence of active exploitation of CVE-2026-25025 in the wild.
Refer to the official VikRestaurants website or WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.