CVE-2025-11496 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Five Star Restaurant Reservations plugin for WordPress, developed by rustaurius. The vulnerability exists in all versions up to and including 2.7.5 due to insufficient sanitization and output escaping of the 'rtb-name' parameter. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code into the booking pages. When a user accesses a page containing the injected script, the malicious code executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3.1 base score of 6.1, indicating medium severity. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C) because the vulnerability can affect resources beyond the vulnerable component. Confidentiality and integrity impacts are low, with no availability impact. No known exploits have been reported in the wild yet, but the vulnerability is publicly disclosed and could be targeted by attackers. The plugin is commonly used in WordPress-based restaurant booking sites, making customer-facing web applications vulnerable. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for interim mitigations.

For European organizations, especially those in the hospitality and restaurant sectors relying on WordPress and this specific plugin, the impact includes potential compromise of customer data confidentiality and integrity. Attackers could steal session cookies, impersonate users, or perform unauthorized actions, leading to reputational damage and loss of customer trust. Since the vulnerability is stored XSS, malicious scripts persist on the server and affect multiple users, increasing the risk and scope of impact. Although availability is not affected, the indirect consequences such as phishing, malware distribution, or defacement could disrupt business operations. The medium CVSS score reflects a moderate risk, but the widespread use of WordPress in Europe and the critical nature of booking systems amplify the threat. Organizations may also face regulatory scrutiny under GDPR if customer data is compromised due to inadequate security controls.

1. Monitor official plugin channels and WordPress security advisories for an official patch and apply it immediately upon release. 2. Until a patch is available, implement a Web Application Firewall (WAF) with strong XSS filtering rules to detect and block malicious payloads targeting the 'rtb-name' parameter. 3. Conduct manual input validation and output encoding on all user-supplied data within the booking plugin if possible, to neutralize scripts before rendering. 4. Restrict user input length and allowed characters for the 'rtb-name' field to reduce injection vectors. 5. Educate site administrators and users about the risks of clicking suspicious links or interacting with untrusted content. 6. Regularly audit and monitor web logs for unusual requests or payloads targeting the vulnerable parameter. 7. Consider isolating or temporarily disabling the vulnerable plugin if mitigation is not feasible until a patch is available. 8. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages.