The Snillrik Restaurant plugin for WordPress, developed by mattiaspkallio, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-14112. This vulnerability exists in all versions up to and including 2.2.1 and is due to insufficient sanitization and escaping of user input in the 'menu_style' shortcode attribute. Specifically, authenticated users with Contributor-level or higher privileges can inject arbitrary JavaScript code into pages via this attribute. Because the injected scripts are stored persistently, they execute every time the affected page is accessed by any user, including administrators and visitors. This can lead to a range of attacks such as session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 score of 6.4 indicates a medium severity, with an attack vector over the network, low complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no known exploits are reported in the wild, but the risk remains significant due to the ease of exploitation by authenticated users. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that accept shortcode attributes from users with content editing permissions.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Snillrik Restaurant plugin on WordPress platforms. The ability for contributors to inject persistent scripts can compromise the confidentiality of user data, including session tokens and personal information, potentially leading to account takeover or unauthorized actions. Integrity of website content can be undermined through defacement or malicious content injection, damaging brand reputation. Although availability is not directly impacted, indirect effects such as blacklisting by search engines or browsers can occur. Organizations with multiple content editors or contributors are at higher risk, as the attack requires authenticated access. The vulnerability could be leveraged in targeted attacks against hospitality or restaurant-related businesses in Europe, especially those relying on WordPress for their online presence. Additionally, regulatory frameworks like GDPR impose strict requirements on data protection, and exploitation of this vulnerability could lead to compliance violations and financial penalties. The absence of known exploits reduces immediate threat but does not eliminate the risk, especially as exploit code could be developed and shared rapidly once public disclosure occurs.

1. Immediate mitigation should involve restricting Contributor-level user permissions to trusted individuals only, minimizing the risk of malicious shortcode attribute injection. 2. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious script tags or JavaScript payloads in shortcode attributes or POST requests. 3. Monitor WordPress pages and posts for unexpected script injections or changes in the 'menu_style' attribute, using automated scanning tools or manual audits. 4. Disable or remove the Snillrik Restaurant plugin if it is not essential, or replace it with a more secure alternative. 5. Follow up with the plugin vendor for official patches or updates addressing this vulnerability and apply them promptly once available. 6. Educate content contributors about safe content editing practices and the risks of injecting untrusted code. 7. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 8. Regularly back up website data to enable quick restoration in case of compromise. These steps go beyond generic advice by focusing on privilege management, monitoring, and layered defenses tailored to the nature of this stored XSS vulnerability.