CVE-2024-51849 is a stored Cross-site Scripting (XSS) vulnerability identified in the My Restaurant Menu plugin by Marco Piarulli, affecting versions up to 0.2.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and stored persistently within the application. When other users or administrators view the affected pages, the malicious scripts execute in their browsers within the context of the vulnerable site. This can lead to theft of sensitive information such as cookies and session tokens, unauthorized actions performed on behalf of users, and defacement or redirection of the website. The vulnerability does not require authentication to exploit, increasing its risk profile. Although no public exploits are currently known, the nature of stored XSS makes it a critical concern for websites relying on this plugin. The plugin is primarily used in restaurant websites to display menus, which may have moderate to high traffic and user interaction. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors. The vulnerability affects confidentiality and integrity primarily, with potential availability impact if attackers use the exploit to inject disruptive scripts. The scope is limited to websites using the vulnerable plugin, but given the popularity of WordPress and similar CMS platforms, the affected surface is non-trivial. Mitigation strategies include input validation and sanitization, output encoding, use of security headers like Content Security Policy (CSP), and prompt application of patches once released.

The stored XSS vulnerability in My Restaurant Menu can have severe consequences for affected organizations. Attackers can execute arbitrary JavaScript in the context of the vulnerable website, potentially stealing session cookies, hijacking user accounts, or performing unauthorized actions on behalf of users. This can lead to data breaches, loss of customer trust, and reputational damage. For restaurant websites, this could also mean manipulation of menu information, fraudulent orders, or redirection to malicious sites, impacting business operations and customer experience. The vulnerability could be exploited to deliver malware or phishing attacks to site visitors, amplifying the risk. Since the exploit does not require authentication, any visitor could trigger the attack, increasing the attack surface. Although no known exploits are currently in the wild, the vulnerability's presence in publicly accessible websites makes it a likely target for attackers once exploit code becomes available. Organizations may face regulatory and compliance issues if customer data is compromised due to this vulnerability.

Organizations using the My Restaurant Menu plugin should immediately monitor for updates or patches from the vendor and apply them as soon as they are available. In the interim, implement strict input validation and sanitization on all user-supplied data to prevent malicious script injection. Employ output encoding techniques to ensure that any data rendered on web pages does not execute as code. Configure Content Security Policy (CSP) headers to restrict the sources from which scripts can be loaded and executed, thereby reducing the impact of potential XSS payloads. Regularly audit and review website content for suspicious or unauthorized scripts. Consider using Web Application Firewalls (WAFs) with rules designed to detect and block XSS attempts. Educate website administrators and developers about secure coding practices related to input handling. Finally, conduct penetration testing focused on XSS vulnerabilities to identify and remediate similar issues proactively.