CVE-2025-6673 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Easy restaurant menu manager WordPress plugin developed by nikelschubert. This vulnerability exists in versions up to and including 2.0.1 of the plugin. The root cause is insufficient input sanitization and output escaping of user-supplied attributes in the plugin's shortcode nsc_eprm_menu_link. Authenticated attackers with contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages where the shortcode is used. When other users visit these pages, the malicious script executes in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating a failure to properly sanitize inputs before rendering them in HTML output. The CVSS v3.1 base score is 6.4, reflecting a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), with a scope change (S:C) and limited confidentiality and integrity impact (C:L/I:L), but no availability impact (A:N). There are no known exploits in the wild as of the publication date (July 4, 2025), and no official patches have been linked yet. This vulnerability is significant because it allows attackers with relatively low privileges to inject persistent malicious scripts that affect all users viewing the compromised content, potentially undermining the trust and security of the affected WordPress sites.

For European organizations using WordPress sites with the Easy restaurant menu manager plugin, this vulnerability poses a risk of persistent XSS attacks that can compromise user accounts, steal sensitive session tokens, or perform unauthorized actions on behalf of users. Given that contributors and above can exploit this flaw, insider threats or compromised contributor accounts could be leveraged to inject malicious scripts. This can lead to data leakage, defacement, or further exploitation within the organization's web infrastructure. The impact is particularly relevant for organizations in the hospitality and restaurant sectors that rely on this plugin for menu management, as customer trust and data privacy are critical. Additionally, GDPR compliance considerations mean that any data breach or unauthorized data access resulting from exploitation could lead to regulatory penalties. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other parts of the website or integrated systems. Although no active exploits are reported, the medium severity and ease of exploitation with low complexity make it a credible threat that should be addressed promptly to avoid reputational damage and operational disruption.

1. Immediate mitigation involves restricting contributor-level access and above to trusted users only, implementing strict user role management and monitoring for suspicious activity. 2. Disable or remove the Easy restaurant menu manager plugin if it is not essential, or replace it with a more secure alternative. 3. Monitor all pages using the nsc_eprm_menu_link shortcode for any unauthorized or suspicious content injections. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this plugin's shortcode parameters. 5. Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of any injected scripts. 6. Regularly audit and sanitize all user-generated content, especially from contributors, before publishing. 7. Stay updated with the vendor's announcements and apply patches as soon as they become available. 8. Conduct security awareness training for contributors to recognize the risks of injecting unsafe content. These measures go beyond generic advice by focusing on access control, monitoring, and layered defenses specific to the plugin's functionality and exploitation vector.