CVE-2023-0553 in Quick Restaurant Menu Plugin
Summary
by MITRE • 01/27/2023
The Quick Restaurant Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters in versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2026
The Quick Restaurant Menu plugin for WordPress presents a significant security vulnerability classified as CVE-2023-0553, which represents a stored cross-site scripting flaw that can be exploited by authenticated attackers with administrator-level privileges. This vulnerability exists within versions up to and including 2.0.2 of the plugin, making it a critical concern for WordPress installations that rely on this specific menu management solution. The flaw specifically targets the plugin's settings parameters, where insufficient input sanitization and output escaping create an exploitable condition that allows malicious code injection. The vulnerability's impact is particularly concerning because it requires only administrative-level access to exploit, meaning that attackers who have gained such privileges can leverage this flaw to execute arbitrary web scripts on affected systems.
The technical nature of this vulnerability stems from the plugin's failure to properly validate and sanitize user inputs within its settings interface. When administrators configure the plugin's parameters, the system does not adequately filter or escape potentially malicious content that could contain script tags or other harmful code. This weakness creates a persistent XSS vector where injected scripts are stored within the plugin's configuration data and subsequently executed whenever affected pages are accessed by users. The vulnerability is further constrained by specific environmental conditions that must be met for exploitation to occur, including multi-site WordPress installations and environments where the unfiltered_html capability has been disabled. This limitation means that the vulnerability affects a subset of WordPress deployments rather than all installations, but it still represents a serious risk for qualifying environments.
The operational impact of CVE-2023-0553 extends beyond simple script execution, as it enables attackers to potentially escalate their privileges and compromise entire WordPress installations. Once an attacker successfully injects malicious scripts through the plugin's settings, they can manipulate user sessions, steal sensitive information, redirect users to malicious websites, or even establish persistent backdoors within the affected environment. The stored nature of this vulnerability means that the injected code remains active until manually removed from the plugin settings, creating a long-term threat vector that can affect multiple users over extended periods. This particular vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and represents a clear violation of secure coding practices that should prevent user-supplied data from being directly rendered without proper sanitization.
Organizations affected by this vulnerability should implement immediate mitigations including updating to the latest plugin version that addresses the XSS flaw, reviewing all plugin settings for potential malicious code injection, and monitoring user access logs for suspicious activities. The recommended approach involves disabling the plugin entirely until a patched version is deployed, followed by comprehensive security audits of all administrative user accounts. Additionally, implementing proper input validation and output escaping mechanisms within the WordPress environment can help prevent similar vulnerabilities from manifesting in other plugins or themes. This vulnerability demonstrates the critical importance of maintaining up-to-date security practices and adhering to the principle of least privilege, as it requires only administrative access to exploit and can potentially lead to complete system compromise. The ATT&CK framework categorizes this vulnerability under privilege escalation and persistence tactics, as it allows attackers to maintain access and execute code within the target environment.