CVE-2025-11830 is a stored cross-site scripting vulnerability identified in the WP Restaurant Listings plugin for WordPress, specifically affecting all versions up to and including 1.0.2. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where the 'align' parameter of the restaurant_summary shortcode is insufficiently sanitized and escaped. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No patches or known exploits are currently reported, but the vulnerability's presence in a popular WordPress plugin used in hospitality and restaurant websites poses a tangible risk. The attack requires authenticated access, which limits exposure but still presents a significant threat if contributor accounts are compromised or misused. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in user-supplied parameters used in shortcodes or dynamic content generation.

For European organizations, especially those in the hospitality, restaurant, and tourism sectors that rely on WordPress websites with the WP Restaurant Listings plugin, this vulnerability can lead to significant risks. Successful exploitation could allow attackers to execute malicious scripts in the context of legitimate users, potentially stealing session cookies, redirecting users to phishing sites, or performing unauthorized actions with the victim’s privileges. This could result in data breaches involving customer information, reputational damage, and loss of customer trust. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts pose a direct risk. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting other parts of the website or connected systems. Given the widespread use of WordPress in Europe and the importance of online presence for businesses, the impact could be broad if not mitigated promptly.

1. Immediately audit and restrict contributor-level access on WordPress sites using the WP Restaurant Listings plugin to trusted personnel only. 2. Implement strict input validation and output escaping for the 'align' parameter in the restaurant_summary shortcode via custom code or security plugins until an official patch is released. 3. Monitor website logs and shortcode usage for unusual or suspicious input patterns that may indicate exploitation attempts. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting the vulnerable parameter. 5. Educate contributors about the risks of injecting untrusted content and enforce strong authentication mechanisms such as MFA to reduce account compromise risk. 6. Regularly back up website data and configurations to enable quick recovery in case of successful exploitation. 7. Stay updated with vendor announcements and apply official patches immediately once available. 8. Consider temporarily disabling or replacing the WP Restaurant Listings plugin if mitigation is not feasible until a fix is released.