免费扫描
HIGHCVE-2026-25025CVSS 7.1

WordPress VikRestaurants plugin <= 1.5.2 - Reflected Cross Site Scripting (XSS) vulnerability

翻译中…

平台

wordpress

组件

vikrestaurants

修复版本

1.5.3

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2026-25025 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the VikRestaurants WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions from 0.0.0 up to and including 1.5.2, but a patch is available in version 1.5.3.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

An attacker exploiting this XSS vulnerability can inject arbitrary JavaScript code into the VikRestaurants plugin's output. This code can then be executed in the context of a victim's browser when they visit a specially crafted URL. The impact ranges from simple annoyance (displaying misleading content) to severe consequences like session hijacking, credential theft, and redirection to malicious websites. Successful exploitation could allow an attacker to impersonate legitimate users, gain access to sensitive data stored within the WordPress site, or even deface the website. The scope of the attack is limited to users who interact with the vulnerable VikRestaurants plugin, but a popular plugin increases the potential attack surface.

利用背景翻译中…

CVE-2026-25025 was publicly disclosed on 2026-03-25. There is no indication of this vulnerability being actively exploited in the wild at this time. No public proof-of-concept (PoC) code has been released, but the nature of Reflected XSS vulnerabilities makes it relatively easy to develop a PoC. The vulnerability is not currently listed on the CISA KEV catalog.

哪些人处于风险中翻译中…

Websites utilizing the VikRestaurants WordPress plugin, particularly those with user input fields that are not properly sanitized, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a successful exploit on one site could potentially impact others.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r '<script>' /var/www/html/wp-content/plugins/vikrestaurants/*

• wordpress / composer / npm:

wp plugin list --status=all | grep vikrestaurants

• wordpress / composer / npm:

wp plugin update vikrestaurants

• generic web: Inspect URL parameters for suspicious characters or script tags when accessing VikRestaurants plugin features. • generic web: Review WordPress error logs for any JavaScript errors related to VikRestaurants.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.04% (11% 百分位)

CISA SSVC

利用情况none
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L7.1HIGHAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityLow敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityLow服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
低 — 可访问部分数据。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
低 — 部分或间歇性拒绝服务。

受影响的软件

组件vikrestaurants
供应商wordfence
影响范围修复版本
0 – 1.5.21.5.3

软件包信息

活跃安装数
600
插件评分
4.8
需要WordPress版本
4.7+
兼容至
7.0
需要PHP版本
7.4.0+
主页

弱点分类 (CWE)

CWE-79

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-25025 is to immediately upgrade the VikRestaurants plugin to version 1.5.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include input validation and output encoding on user-supplied data within the plugin's templates. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of defense. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through a vulnerable parameter and confirming that the script is not executed.

修复方法翻译中…

Update to version 1.5.3, or a newer patched version

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-25025 — Reflected XSS in VikRestaurants?

CVE-2026-25025 is a Reflected XSS vulnerability in the VikRestaurants WordPress plugin allowing attackers to inject malicious scripts via crafted URLs.

Am I affected by CVE-2026-25025 in VikRestaurants?

You are affected if you are using VikRestaurants version 0.0.0 through 1.5.2. Upgrade to 1.5.3 or later to resolve the issue.

How do I fix CVE-2026-25025 in VikRestaurants?

Upgrade the VikRestaurants plugin to version 1.5.3 or later. Consider temporary workarounds like input validation and output encoding if immediate upgrade is not possible.

Is CVE-2026-25025 being actively exploited?

There is currently no evidence of active exploitation of CVE-2026-25025 in the wild.

Where can I find the official VikRestaurants advisory for CVE-2026-25025?

Refer to the official VikRestaurants website or WordPress plugin repository for the latest advisory and update information.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE