CVE-2025-14112 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Snillrik Restaurant plugin for WordPress, maintained by mattiaspkallio. The flaw exists in all versions up to and including 2.2.1 and is due to improper neutralization of input during web page generation, specifically through the 'menu_style' shortcode attribute. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code that is stored persistently and executed in the context of any user who views the compromised page. This occurs because the plugin fails to adequately sanitize and escape input data before rendering it in the page output, violating CWE-79 standards. The vulnerability can be exploited remotely over the network without user interaction, but requires authentication with limited privileges, making it moderately accessible to attackers with insider or contributor access. The CVSS 3.1 base score of 6.4 reflects a medium severity, with impact on confidentiality and integrity but no direct availability impact. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, potentially allowing privilege escalation or session hijacking. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple contributors or public user bases. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted WordPress sites, risking session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. Hospitality and restaurant businesses using the Snillrik Restaurant plugin are particularly vulnerable, as attackers with contributor access can embed malicious scripts that affect site visitors, including customers and staff. This could result in reputational damage, data breaches, and compliance violations under GDPR if personal data is compromised. Since the exploit requires authenticated access, insider threats or compromised contributor accounts pose a significant risk. The medium severity score indicates a moderate but tangible threat, especially for organizations with large contributor teams or public-facing WordPress installations. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks. European entities relying on WordPress plugins for restaurant or hospitality management should consider this vulnerability a priority due to the sensitive nature of customer interactions and data.

Organizations should immediately audit their WordPress installations to identify the presence of the Snillrik Restaurant plugin and verify the version in use. Until an official patch is released, restrict contributor-level access to trusted users only and implement strict user role management to minimize the risk of malicious input. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute injections related to 'menu_style'. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly monitor logs for unusual contributor activity or unexpected shortcode usage. Educate contributors about the risks of injecting untrusted content and enforce secure coding practices if custom plugin modifications exist. Once a patch becomes available, prioritize its deployment. Additionally, consider isolating or disabling the vulnerable shortcode attribute if feasible to prevent exploitation. Conduct penetration testing focused on XSS vectors within WordPress environments to identify similar vulnerabilities.