Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants vikrestaurants allows Reflected XSS.This issue affects VikRestaurants: from n/a through <= 1.5.2.
AnalysisAI
VikRestaurants plugin versions up to and including 1.5.2 contain a Reflected Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript code into web pages viewed by users. The vulnerability affects the e4jvikwp VikRestaurants product, a restaurant management and booking plugin primarily used in WordPress environments. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, resulting in credential theft, session hijacking, or defacement of the restaurant website.
Technical ContextAI
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is not properly sanitized or escaped before being rendered in HTML context. VikRestaurants, identified via CPE cpe:2.3:a:e4jvikwp:vikrestaurants:*:*:*:*:*:*:*:*, is a restaurant management plugin that likely accepts user input through URL parameters or form submissions without adequate input validation and output encoding. The Reflected XSS attack vector means the payload is transmitted through the HTTP request itself (typically via GET parameters) rather than being stored, making it a first-order attack that requires social engineering to deliver but can be executed without database interaction.
RemediationAI
Immediately upgrade VikRestaurants to a version greater than 1.5.2 (verify latest patch availability through the official Patchstack advisory and the plugin vendor's release notes). Administrators unable to patch immediately should implement input validation and output encoding at the application level, enforce Content Security Policy (CSP) headers to mitigate XSS payload execution, and restrict access to the affected plugin's functions to authenticated users only. Additionally, review access logs for evidence of exploitation attempts targeting the vulnerable parameters. Reference the vendor advisory via Patchstack at https://patchstack.com/database/Wordpress/Plugin/vikrestaurants/vulnerability/wordpress-vikrestaurants-plugin-1-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for confirmed patch versions and deployment instructions.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15621
GHSA-5f63-62xv-53cx