CVE-2026-1910 is a stored cross-site scripting vulnerability classified under CWE-79 affecting the UpMenu – Online ordering for restaurants plugin for WordPress. The vulnerability stems from insufficient input sanitization and output escaping of the 'lang' attribute within the 'upmenu-menu' shortcode. This flaw allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes automatically whenever any user accesses the infected page, potentially compromising user sessions, stealing sensitive information, or performing actions on behalf of users. The vulnerability affects all versions up to and including 3.1 of the plugin. The CVSS 3.1 base score is 6.4, indicating a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. Although no public exploits have been reported, the vulnerability poses a significant risk due to the widespread use of WordPress and the popularity of UpMenu for restaurant online ordering. The flaw requires authenticated access, limiting exposure to users with at least contributor rights, but the impact on confidentiality and integrity is notable. The vulnerability does not affect system availability. No patches are currently linked, so mitigation may require manual code review or disabling the vulnerable shortcode until an update is released.

The primary impact of CVE-2026-1910 is on the confidentiality and integrity of data within affected WordPress sites using the UpMenu plugin. Attackers can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, theft of cookies or credentials, unauthorized actions on behalf of users, and defacement of web content. This can erode user trust, damage brand reputation, and expose sensitive customer data, especially critical for restaurant businesses handling orders and personal information. Since the vulnerability requires authenticated access with contributor-level privileges, the risk is somewhat mitigated but still significant in environments where multiple users have such access. The scope of affected systems is broad given WordPress's global popularity and UpMenu's niche in restaurant online ordering. Although availability is not impacted, the breach of confidentiality and integrity can lead to regulatory compliance issues and financial losses. Organizations relying on UpMenu for e-commerce should consider this vulnerability a moderate threat that warrants prompt attention.

Organizations should immediately audit user roles and permissions to ensure that only trusted users have contributor-level or higher access to WordPress sites running UpMenu. Restricting contributor access reduces the attack surface. Until an official patch is released, consider disabling the 'upmenu-menu' shortcode or removing the 'lang' attribute usage to prevent injection points. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'lang' attribute. Conduct thorough input validation and output encoding on all user-supplied data in custom code or overrides related to UpMenu. Monitor site logs for unusual activity or script injections. Educate site administrators and content contributors about the risks of injecting untrusted content. Once available, promptly apply vendor patches or updates addressing this vulnerability. Regularly back up site data to enable recovery in case of compromise. Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts.