CVE-2025-14112 is a stored cross-site scripting vulnerability identified in the Snillrik Restaurant plugin for WordPress, maintained by mattiaspkallio. The flaw exists in all versions up to and including 2.2.1, specifically in the handling of the 'menu_style' shortcode attribute. The vulnerability stems from insufficient sanitization and escaping of user-supplied input before it is embedded into web pages. Authenticated users with Contributor-level privileges or higher can exploit this by injecting arbitrary JavaScript code into pages via the vulnerable shortcode attribute. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the affected site. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability's presence in a popular CMS plugin makes it a credible risk. The issue was reserved in December 2025 and published in January 2026, with no official patch released at the time of this report.

The impact of CVE-2025-14112 is significant for organizations running WordPress sites that utilize the Snillrik Restaurant plugin. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of the affected website, enabling attackers to steal session cookies, perform actions on behalf of other users, deface content, or redirect visitors to malicious sites. This compromises the confidentiality and integrity of user data and can damage organizational reputation. Since the vulnerability requires authenticated access at Contributor level or above, insider threats or compromised accounts pose a direct risk. The scope change means that the vulnerability can affect resources beyond the initial vulnerable component, potentially impacting multiple users and site functionality. Although availability is not directly affected, the indirect consequences of exploitation, such as site defacement or user trust erosion, can have operational and financial repercussions. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks, especially as threat actors develop proof-of-concept exploits.

To mitigate CVE-2025-14112, organizations should first check for and apply any official patches or updates from the plugin developer once available. In the absence of a patch, administrators should consider disabling or removing the Snillrik Restaurant plugin to eliminate the attack surface. Restrict Contributor-level access strictly to trusted users and audit existing user permissions to minimize the risk of exploitation. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'menu_style' shortcode attribute. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly monitor website content for unauthorized script injections and conduct security scans focusing on XSS vulnerabilities. Educate site administrators and content contributors about the risks of XSS and safe content practices. Finally, maintain comprehensive logging and alerting to detect potential exploitation attempts promptly.