CVE-2025-11496 is a stored cross-site scripting vulnerability identified in the Five Star Restaurant Reservations plugin for WordPress, developed by rustaurius. The flaw exists in all versions up to and including 2.7.5 due to insufficient input sanitization and output escaping of the 'rtb-name' parameter. This parameter is used during web page generation, and because the plugin fails to properly neutralize malicious input, attackers can inject arbitrary JavaScript code that is stored persistently on the server. When other users access the affected pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is exploitable remotely over the network without requiring authentication, though it requires user interaction to trigger the malicious script. The CVSS v3.1 base score is 6.1, reflecting medium severity, with attack vector network, low attack complexity, no privileges required, user interaction required, and scope changed. No public exploits have been reported yet. The vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks. The plugin is widely used by restaurants and hospitality businesses to manage reservations via WordPress, making this vulnerability relevant to many organizations relying on this software for customer interactions.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, which can lead to theft of authentication cookies, personal information, or manipulation of displayed content. This can facilitate phishing attacks, unauthorized transactions, or spreading malware. Although availability is not directly affected, the reputational damage and potential regulatory consequences from data breaches can be significant. Organizations using the affected plugin risk compromise of customer trust and potential financial losses. Since the vulnerability requires user interaction, the scope is limited to users who visit the compromised pages, but given the plugin’s usage in customer-facing websites, the exposure can be broad. The lack of authentication requirement for exploitation increases the threat level, as any remote attacker can attempt injection. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code could emerge.

To mitigate this vulnerability, organizations should immediately update the Five Star Restaurant Reservations plugin to a patched version once released by the vendor. Until a patch is available, implement strict input validation and output encoding on the 'rtb-name' parameter at the web application firewall (WAF) or reverse proxy level to block suspicious input patterns indicative of XSS payloads. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit and sanitize user-generated content stored by the plugin. Educate users and administrators about the risks of clicking on suspicious links or inputs. Monitor web server logs for unusual parameter values or repeated injection attempts. Additionally, consider isolating the booking plugin functionality or restricting access to trusted users if feasible. Finally, maintain up-to-date backups and incident response plans to quickly recover from any potential compromise.