CVE-2026-1910 is a stored Cross-Site Scripting vulnerability identified in the UpMenu – Online ordering for restaurants WordPress plugin, affecting all versions up to and including 3.1. The vulnerability stems from insufficient input sanitization and output escaping of the 'lang' attribute within the 'upmenu-menu' shortcode. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages by manipulating this attribute. Because the malicious script is stored on the server, it executes automatically in the browsers of any users who visit the affected pages, potentially compromising user sessions, stealing sensitive data, or performing unauthorized actions on behalf of the user. The vulnerability does not require user interaction beyond visiting the infected page, and the attacker must have at least contributor-level access, which is a moderate barrier but still feasible in many WordPress environments. The CVSS 3.1 base score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component. No public exploits have been reported at the time of publication, but the flaw represents a significant risk for websites relying on this plugin for online ordering functionality. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that handle user-generated content or attributes.

For European organizations, particularly those in the hospitality and food service sectors using WordPress with the UpMenu plugin, this vulnerability poses a risk of session hijacking, data leakage, and unauthorized actions performed via injected scripts. Attackers with contributor-level access could compromise the integrity and confidentiality of user data, including customer information and payment details, potentially leading to reputational damage and regulatory penalties under GDPR. The stored nature of the XSS means that once exploited, multiple users can be affected without further attacker interaction, increasing the attack surface. Additionally, compromised administrative or editorial accounts could escalate the impact by injecting scripts that target higher-privilege users. The availability impact is minimal, but the breach of confidentiality and integrity can have severe operational and compliance consequences. Given the widespread use of WordPress in Europe and the growing adoption of online ordering systems, the threat is relevant to many small and medium enterprises as well as larger restaurant chains.

Organizations should immediately verify if they use the UpMenu plugin and identify the version in use. Since no official patch links are provided yet, administrators should consider the following mitigations: restrict contributor-level access strictly to trusted users to reduce the risk of malicious input; implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'lang' attribute or the shortcode; employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts; monitor logs for unusual shortcode usage or input patterns; and consider temporarily disabling the plugin or the affected shortcode until a patch is released. Additionally, website owners should educate contributors about safe input practices and review user permissions regularly. Once a patch becomes available, prompt application is critical. Regular security audits and scanning for XSS vulnerabilities in plugins should be part of ongoing security hygiene.