This vulnerability (CVE-2025-29014) in ZoomIt FoodMenu is classified as CWE-79, indicating improper neutralization of input during web page generation resulting in reflected cross-site scripting (XSS). The flaw allows attackers to inject malicious scripts that execute when a user interacts with a crafted URL or input, potentially compromising user data or session integrity. It affects all versions through 1.20. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No patch or vendor advisory details are currently provided.

Successful exploitation of this reflected XSS vulnerability can lead to partial compromise of confidentiality, integrity, and availability of the affected system or user data. Attackers may execute arbitrary scripts in the victim's browser context, potentially stealing session tokens, redirecting users, or performing unauthorized actions. However, no known active exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with untrusted input and URLs. Implementing web application firewall (WAF) rules to detect and block reflected XSS payloads may provide temporary mitigation. Avoid clicking suspicious links related to the FoodMenu application.