CVE-2025-58812 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the 'Best Restaurant Menu by PriceListo' plugin up to version 1.4.3. This vulnerability arises from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be injected and stored within the application. When other users or administrators access the affected pages, the malicious payload executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The vector metrics specify that the attack can be launched remotely over the network (AV:N) with low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact includes low confidentiality, integrity, and availability impacts (C:L/I:L/A:L), reflecting limited but non-negligible consequences. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability primarily targets web applications using the PriceListo plugin, which is commonly used by restaurants to display menus online.

For European organizations, particularly those in the hospitality and restaurant sectors using the PriceListo Best Restaurant Menu plugin, this vulnerability poses a risk of client-side attacks that can compromise customer data and trust. Exploitation could lead to theft of session cookies, enabling attackers to impersonate users or administrators, potentially resulting in unauthorized changes to menu content or access to backend systems. This could damage brand reputation and lead to regulatory scrutiny under GDPR if personal data is compromised. The medium severity suggests that while the vulnerability is not critical, it still represents a significant risk, especially if combined with other vulnerabilities or social engineering tactics. Given the widespread use of web-based menu systems in Europe, the threat could affect many small to medium-sized enterprises that may lack robust cybersecurity defenses.

Organizations should immediately audit their use of the PriceListo Best Restaurant Menu plugin and verify the version in use. Until an official patch is released, practical mitigations include implementing Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the plugin's input fields. Input validation and output encoding should be enforced at the application level to sanitize user inputs rigorously. Administrators should restrict privileges to the minimum necessary and educate users about the risks of interacting with suspicious links or content. Additionally, Content Security Policy (CSP) headers can be deployed to limit the execution of unauthorized scripts. Regular monitoring of logs for unusual activity and prompt application of vendor updates once available are critical. Organizations should also consider isolating the plugin or replacing it with alternatives that have a stronger security posture.