VikRestaurants Table Reservations and Take-Away <= 1.5.2 - Reflected Cross-Site Scripting
Description
The VikRestaurants Table Reservations and Take-Away plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
<=1.5.2What Changed in the Fix
Changes introduced in v1.5.3
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-25025 ## 1. Vulnerability Summary The **VikRestaurants Table Reservations and Take-Away** plugin for WordPress (versions <= 1.5.2) contains a reflected cross-site scripting (XSS) vulnerability. The vulnerability stems from insufficient sanitization and escapi…
Show full research plan
Exploitation Research Plan - CVE-2026-25025
1. Vulnerability Summary
The VikRestaurants Table Reservations and Take-Away plugin for WordPress (versions <= 1.5.2) contains a reflected cross-site scripting (XSS) vulnerability. The vulnerability stems from insufficient sanitization and escaping of user-controlled input, specifically within the AJAX-driven dashboard widget system and list filtering views. Unauthenticated or low-privileged attackers can craft malicious URLs that, when clicked by a user (typically an administrator), execute arbitrary JavaScript in the context of the user's browser.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - Action:
vikrestaurants_update_widget(triggered via thevrest_widget_updatelogic) or direct view requests toindex.php?option=com_vikrestaurants. - Vulnerable Parameters:
configarray parameters (e.g.,config[range],config[shift]) and potentially thewidget_id. - Authentication: Unauthenticated (as per CVE description, likely via
wp_ajax_nopriv_registration for frontend widgets or public-facing statistics). - Preconditions: A widget must be active or the AJAX action must be reachable.
3. Code Flow
- Entry Point: An AJAX request is sent to
admin-ajax.phpwith the actionvrest_widget_update(
Summary
The VikRestaurants plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in version 1.5.2 and below. This occurs because the plugin's dashboard widget system reflects user-supplied configuration parameters in AJAX responses and unsafely processes them in the browser using jQuery, allowing unauthenticated attackers to execute arbitrary JavaScript if they can trick a logged-in administrator into clicking a malicious link.
Vulnerable Code
// admin/layouts/statistics/widgets/service.php lines 177-181 // retrieve selected range text var range = jQuery('select[name="<?php echo $widget->getName() . '_' . $widget->getID(); ?>_range"]') .find('option[value="' + config.range + '"]') .text(); --- // admin/layouts/statistics/widgets/occupancy.php line 102 jQuery(widget).find('.badge.guests').html(data.guests + ' <i class="fas fa-male"></i><i class="fas fa-male"></i>');
Security Fix
@@ -71,9 +77,15 @@ </div> <div class="widget-floating-box top-right"> + <a href="javascript:void(0)" class="overview-change-date" data-date="<?php echo $this->escape($prevDate->format($config->get('dateformat'))); ?>" aria-label="<?php echo $this->escape('Previous'); ?>"> + <i class="fas fa-angle-double-left" aria-hidden="true"></i> + </a> <span class="badge badge-important"> <?php echo JHtml::fetch('date', $date, JText::translate('DATE_FORMAT_LC3'), date_default_timezone_get()); ?> </span> + <a href="javascript:void(0)" class="overview-change-date" data-date="<?php echo $this->escape($nextDate->format($config->get('dateformat'))); ?>" aria-label="<?php echo $this->escape('Next'); ?>"> + <i class="fas fa-angle-double-right" aria-hidden="true"></i> + </a> </div> <!-- display rooms tables -->
Exploit Outline
The exploit targets the AJAX-driven dashboard widgets, specifically the update functionality triggered by administrative users. An attacker crafts a malicious URL pointing to the WordPress admin panel (wp-admin/admin.php or wp-admin/admin-ajax.php) including parameters that control the `config` array for a specific widget. For example, the `config[range]` parameter can be loaded with a payload like `"]');alert(1);//`. When an authenticated administrator visits this link, the AJAX response contains the malicious payload, which is subsequently executed by the `WIDGET_CALLBACKS` JavaScript logic because it is concatenated directly into a jQuery selector or injected into the DOM via `.html()` without proper sanitization.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.