CVE-2025-6673 in Easy Restaurant Menu Manager Plugin
Summary
by MITRE • 07/04/2025
The Easy restaurant menu manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's nsc_eprm_menu_link shortcode in versions up to, and including 2.0.1, due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/04/2025
The vulnerability identified as CVE-2025-6673 affects the Easy restaurant menu manager plugin for WordPress, specifically targeting versions up to and including 201. This represents a critical security flaw that enables stored cross-site scripting attacks through the plugin's nsc_eprm_menu_link shortcode functionality. The vulnerability arises from inadequate input sanitization and output escaping mechanisms that fail to properly validate or encode user-supplied attributes before processing them within the plugin's shortcode implementation.
The technical flaw manifests when authenticated attackers with contributor-level privileges or higher exploit the insufficient validation controls within the plugin's shortcode processing logic. These attackers can inject malicious scripts through the nsc_eprm_menu_link shortcode parameters, which are then stored within the WordPress database and executed whenever any user accesses pages containing the compromised shortcode. This creates a persistent threat vector that can affect all users who view affected content, regardless of their privilege level. The vulnerability operates at the application layer and specifically targets the plugin's handling of user input, making it particularly dangerous as it requires minimal privilege escalation to exploit.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform session hijacking, deface website content, steal sensitive information, or redirect users to malicious sites. Since the attack vector involves stored XSS, the malicious scripts persist in the database and execute automatically whenever affected pages are loaded, creating a continuous threat that can affect multiple users over time. This vulnerability directly violates security principles outlined in the OWASP Top Ten, specifically addressing the risks associated with cross-site scripting attacks that can lead to complete compromise of user sessions and data theft.
Organizations using the affected plugin version should immediately implement mitigation strategies including plugin updates to versions that address the sanitization and escaping deficiencies. The fix should incorporate proper input validation using WordPress's built-in sanitization functions and ensure all user-supplied attributes are properly escaped before output rendering. Additionally, administrators should consider implementing role-based access controls to limit contributor-level privileges and monitor for suspicious shortcode usage. This vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and maps to ATT&CK technique T1566.001 for the initial compromise vector through malicious content injection. The remediation approach should follow WordPress security best practices including input validation, output escaping, and regular security audits of third-party plugins to prevent similar vulnerabilities from being introduced into the WordPress environment.