CVE-2025-48323
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Md Abunaser Khan Advance Food Menu advance-food-menu allows Stored XSS.This issue affects Advance Food Menu: from n/a through <= 1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Advance Food Menu plugin for WordPress allows attackers with contributor-level access to inject malicious scripts that execute when visitors view the affected page.
Vulnerability
Overview CVE-2025-48323 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Advance Food Menu plugin for WordPress, affecting versions from n/a through 1.0. The plugin fails to properly neutralize user-supplied input during web page generation, allowing an authenticated attacker with contributor-level privileges or higher to insert arbitrary HTML and JavaScript.[1]
Exploitation
Details The vulnerability can be exploited by a user who has at least the Contributor role in a WordPress site. The attacker submits a crafted payload through a menu item field (such as a description or custom field) that is not sanitized on input or output. When a privileged administrator or editor later views the injected content — or when a visitor loads the page containing the menu — the script executes in the browser of anyone accessing that page. No direct user interaction beyond viewing the compromised page is required for the stored payload to trigger.[1]
Impact
A successful exploit allows the attacker to execute arbitrary scripts in the context of the victim's browser. This can be used to steal session cookies, redirect users to malicious sites, display advertisements, deface the page, or perform other actions limited only by the victim's session privileges. The CVSS v3 base score of 5.9 (Medium) reflects the need for some level of access (contributor) and the fact that a privileged user must perform an action (like visiting the affected page) for the script to fire, but the stored nature makes it persistent and dangerous for all subsequent visitors.[1]
Mitigation
As of publication, the vendor has not released a fix for the affected 1.0 version. Users are advised to disable or remove the plugin immediately, especially if running version 1.0. Workarounds include using a web application firewall (WAF) to block known XSS patterns or restricting contributor-level permissions. The vulnerability has been publicly disclosed and is likely to be included in automated exploitation kits used in mass campaigns against low-traffic WordPress sites.[1]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.