CVE-2025-6378 identifies a stored cross-site scripting vulnerability in the Responsive Food and Drink Menu plugin for WordPress, developed by corporatezen222. This vulnerability exists in all versions up to and including 2.3 and is triggered via the plugin's display_pdf_menus shortcode. The root cause is insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code. When a page containing the injected shortcode is accessed, the malicious script executes in the context of the victim's browser, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability is exploitable remotely over the network without user interaction, but requires at least contributor-level privileges, which limits the attack surface to authenticated users. The CVSS 3.1 score of 6.4 reflects medium severity, with low attack complexity and a scope change due to the potential compromise of other users' sessions or data. No public exploit code or active exploitation has been reported yet, but the vulnerability is significant for websites relying on this plugin, especially those with multiple contributors or editors. The lack of patches or official fixes at the time of publication necessitates immediate mitigation steps by administrators.

The primary impact of CVE-2025-6378 is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors or administrators, enabling theft of session cookies, credentials, or other sensitive information. This can lead to account takeover, unauthorized content modification, or further exploitation of the site infrastructure. Although availability is not directly affected, the reputational damage and potential data breaches can have severe consequences for organizations, especially those in the hospitality and food service sectors using the Responsive Food and Drink Menu plugin. The vulnerability's requirement for authenticated access reduces the risk from anonymous attackers but does not eliminate it, as contributor accounts are common in multi-author environments. Organizations with large editorial teams or less stringent access controls are particularly vulnerable. Additionally, the cross-site scripting flaw can be leveraged as a stepping stone for more complex attacks such as phishing or malware distribution within trusted domains.

To mitigate CVE-2025-6378, organizations should immediately review and restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. Disabling or removing the display_pdf_menus shortcode from all content until a patch is available is a critical step to prevent exploitation. Administrators should implement strict input validation and output encoding on any user-supplied data within the plugin or custom code, following secure coding best practices. Monitoring logs for unusual shortcode usage or unexpected script injections can help detect attempted exploitation. Applying web application firewalls (WAFs) with rules targeting XSS payloads specific to this plugin can provide temporary protection. Organizations should track updates from the plugin vendor and apply patches promptly once released. Additionally, educating content contributors about secure content practices and the risks of injecting untrusted code can reduce accidental exploitation. Regular security audits and vulnerability scanning focused on WordPress plugins will help identify similar issues proactively.