CVE-2025-48286

Vulnerability

Overview The ReDi Restaurant Reservation plugin for WordPress contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This affects all versions up to and including 24.1209, allowing an attacker to inject arbitrary HTML or JavaScript into a response page.

Exploitation

Prerequisites An attacker can trigger this vulnerability by convincing a privileged user (e.g., an administrator) to click a crafted link or submit a specially crafted form. The attack requires user interaction, as the victim must take an action such as visiting a malicious URL. No authentication is needed from the attacker's side, but the target user must be logged into the WordPress site.

Potential

Impact Successful exploitation could allow the attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, redirection to malicious sites, or injection of unwanted advertisements. As noted in the advisory, this vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns [1].

Mitigation

Users should update to version 25.0513 or later, which resolves the vulnerability. Patchstack provides a mitigation rule for those unable to update immediately [1].