The Easy restaurant menu manager plugin for WordPress, developed by nikelschubert, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-6673. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically within the nsc_eprm_menu_link shortcode. Versions up to and including 2.0.1 fail to properly sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code that is stored persistently in the website's content. When other users access the affected pages, the injected scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The vulnerability requires no user interaction beyond visiting the infected page but does require authenticated access, limiting exploitation to users with some level of trust on the site. The CVSS 3.1 base score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and partial confidentiality and integrity impact but no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level user roles. The lack of available patches at the time of publication necessitates immediate mitigation measures.

This vulnerability can lead to unauthorized script execution in the context of the affected website, compromising the confidentiality and integrity of user sessions and data. Attackers with contributor-level access can leverage this flaw to escalate privileges, steal cookies or authentication tokens, perform actions on behalf of other users, or deliver malware payloads. For organizations, this can result in data breaches, reputational damage, and potential regulatory non-compliance. Since WordPress powers a significant portion of websites globally, and the Easy restaurant menu manager plugin is used by restaurants and hospitality businesses, the impact could extend to customer data exposure and disruption of online services. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or weak user management. The stored nature of the XSS means the malicious payload persists, increasing the likelihood of exposure to multiple users over time.

Organizations should immediately review user roles and permissions to restrict contributor-level access to trusted users only. Until an official patch is released, disabling or uninstalling the Easy restaurant menu manager plugin is the safest approach. If the plugin must remain active, administrators should audit all content created via the nsc_eprm_menu_link shortcode for suspicious scripts and remove any malicious code. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this plugin can provide temporary protection. Additionally, enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly monitoring logs for unusual activity and educating contributors about safe content practices will further reduce risk. Once a patch is available, prompt updating is critical. Finally, consider employing security plugins that sanitize user inputs and outputs to add an extra layer of defense.