CVE-2025-69017

MEDIUM
2025-12-30 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 30, 2025 - 11:16 nvd
MEDIUM 6.5

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magnigenie RestroPress restropress allows Stored XSS.This issue affects RestroPress: from n/a through <= 3.2.8.4.

Analysis

Stored Cross-Site Scripting (XSS) in Magnigenie RestroPress WordPress plugin through version 3.2.8.4 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or defacing content. The vulnerability requires user interaction (UI:R) and affects only authenticated attackers (PR:L), limiting immediate exploitation risk despite the moderate CVSS score of 6.5. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical Context

RestroPress is a WordPress restaurant and food ordering plugin that generates dynamic web pages with user-supplied input. The vulnerability stems from improper input sanitization and output encoding during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Authenticated users with low-level permissions can inject unvalidated data that the plugin renders directly into HTML output without proper escaping, allowing stored XSS payloads to persist in the database and execute when other users (including administrators) view affected pages. This is a server-side input validation and client-side output encoding failure.

Affected Products

Magnigenie RestroPress WordPress plugin versions up to and including 3.2.8.4 are affected (CPE: cpe:2.3:a:magnigenie:restropress:*:*:*:*:*:wordpress:*:*). Users of all earlier versions through 3.2.8.4 are vulnerable. The plugin serves as a restaurant and food ordering system for WordPress installations, making it relevant to food service and hospitality industry websites. Refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve for detailed vendor advisories and technical indicators.

Remediation

Upgrade RestroPress to a version higher than 3.2.8.4 immediately. Contact Magnigenie or check the plugin's official WordPress repository for the latest available release containing the XSS sanitization fix. As a temporary mitigation while awaiting an upgrade, restrict low-privilege user account creation and audit existing contributor and author accounts for suspicious activity; consider temporarily disabling plugin functionality if the vulnerable feature cannot be segregated. Implement a Web Application Firewall (WAF) rule to block common XSS patterns in user input if a patch is not immediately available. After patching, scan the database for previously injected XSS payloads using security plugins or manual inspection of stored user-generated content.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-69017 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy