CVE-2025-67922 is a reflected Cross-site Scripting (XSS) vulnerability identified in the ThemeGoods Grand Restaurant WordPress theme, affecting all versions prior to 7.0.9. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is reflected back to users. When a victim clicks a specially crafted URL or interacts with malicious content, the injected script executes within their browser context. This can lead to theft of session cookies, defacement, or unauthorized actions performed with the victim's privileges. The vulnerability requires no authentication (PR:N) but does require user interaction (UI:R), such as clicking a malicious link. The attack vector is network-based (AV:N), meaning exploitation can occur remotely over the internet. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire web application. The CVSS v3.1 base score is 6.1, categorized as medium severity, reflecting moderate impact on confidentiality and integrity but no impact on availability. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in December 2025 and published in January 2026. The lack of available patches at the time of reporting suggests that organizations should monitor for updates from ThemeGoods and apply them promptly once released. The vulnerability is particularly relevant for websites in the hospitality sector using this theme, which may be targeted for data theft or defacement.

For European organizations, especially those in the hospitality and restaurant industries using the Grand Restaurant theme, this vulnerability poses a risk of session hijacking, credential theft, and unauthorized actions performed on behalf of users. This can lead to data breaches involving customer information, loss of customer trust, and potential regulatory penalties under GDPR due to compromised personal data. The reflected XSS can also be leveraged to deliver further malware or phishing attacks targeting employees or customers. Given the widespread use of WordPress and the popularity of hospitality themes, the attack surface is significant. The medium severity indicates that while the vulnerability is not critical, it can still cause meaningful harm if exploited, particularly in environments where sensitive customer or business data is processed. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially if attackers use social engineering to lure victims. The vulnerability could also be used as a foothold for more advanced attacks within compromised networks.

Organizations should immediately verify if they are using the ThemeGoods Grand Restaurant theme and confirm the version. The primary mitigation is to update the theme to version 7.0.9 or later once available, as this version addresses the vulnerability. Until patching is possible, implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Additionally, sanitize and validate all user inputs at the application level to prevent injection of malicious code. Employ Web Application Firewalls (WAFs) with rules targeting reflected XSS patterns to detect and block exploit attempts. Educate users and staff about the risks of clicking unknown or suspicious links to reduce successful exploitation via social engineering. Regularly monitor web server logs for unusual request patterns indicative of attempted XSS attacks. Finally, consider deploying browser security features such as HTTPOnly and Secure flags on cookies to prevent theft via script access.