Skip to main content

Vikrestaurants EUVDEUVD-2026-15621

| CVE-2026-25025 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-5f63-62xv-53cx
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15621
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants vikrestaurants allows Reflected XSS.This issue affects VikRestaurants: from n/a through <= 1.5.2.

AnalysisAI

VikRestaurants plugin versions up to and including 1.5.2 contain a Reflected Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript code into web pages viewed by users. The vulnerability affects the e4jvikwp VikRestaurants product, a restaurant management and booking plugin primarily used in WordPress environments. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, resulting in credential theft, session hijacking, or defacement of the restaurant website.

Technical ContextAI

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is not properly sanitized or escaped before being rendered in HTML context. VikRestaurants, identified via CPE cpe:2.3:a:e4jvikwp:vikrestaurants:*:*:*:*:*:*:*:*, is a restaurant management plugin that likely accepts user input through URL parameters or form submissions without adequate input validation and output encoding. The Reflected XSS attack vector means the payload is transmitted through the HTTP request itself (typically via GET parameters) rather than being stored, making it a first-order attack that requires social engineering to deliver but can be executed without database interaction.

RemediationAI

Immediately upgrade VikRestaurants to a version greater than 1.5.2 (verify latest patch availability through the official Patchstack advisory and the plugin vendor's release notes). Administrators unable to patch immediately should implement input validation and output encoding at the application level, enforce Content Security Policy (CSP) headers to mitigate XSS payload execution, and restrict access to the affected plugin's functions to authenticated users only. Additionally, review access logs for evidence of exploitation attempts targeting the vulnerable parameters. Reference the vendor advisory via Patchstack at https://patchstack.com/database/Wordpress/Plugin/vikrestaurants/vulnerability/wordpress-vikrestaurants-plugin-1-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for confirmed patch versions and deployment instructions.

Share

EUVD-2026-15621 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy