[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdnBpM8EjNasUwb088E0pWqLnjaNwbHRxWpi3Lxs-X_g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-25025","vikrestaurants-table-reservations-and-take-away-reflected-cross-site-scripting","VikRestaurants Table Reservations and Take-Away \u003C= 1.5.2 - Reflected Cross-Site Scripting","The VikRestaurants Table Reservations and Take-Away plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","vikrestaurants",null,"\u003C=1.5.2","1.5.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-23 00:00:00","2026-03-26 20:46:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3c6841e7-fddf-45b1-9d18-00911325b1d3?source=api-prod",4,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fcss\u002Fvikrestaurants.css","admin\u002Flayouts\u002Fblocks\u002Foperatorlog.php","admin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Fadminnotes.php","admin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Fcustomers.php","admin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Foccupancy.php","admin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Foverview\u002Ftable.php","admin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Frog.php","admin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Fservice.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-25025\n\n## 1. Vulnerability Summary\nThe **VikRestaurants Table Reservations and Take-Away** plugin for WordPress (versions \u003C= 1.5.2) contains a reflected cross-site scripting (XSS) vulnerability. The vulnerability stems from insufficient sanitization and escaping of user-controlled input, specifically within the AJAX-driven dashboard widget system and list filtering views. Unauthenticated or low-privileged attackers can craft malicious URLs that, when clicked by a user (typically an administrator), execute arbitrary JavaScript in the context of the user's browser.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** `vikrestaurants_update_widget` (triggered via the `vrest_widget_update` logic) or direct view requests to `index.php?option=com_vikrestaurants`.\n- **Vulnerable Parameters:** `config` array parameters (e.g., `config[range]`, `config[shift]`) and potentially the `widget_id`.\n- **Authentication:** Unauthenticated (as per CVE description, likely via `wp_ajax_nopriv_` registration for frontend widgets or public-facing statistics).\n- **Preconditions:** A widget must be active or the AJAX action must be reachable.\n\n## 3. Code Flow\n1. **Entry Point:** An AJAX request is sent to `admin-ajax.php` with the action `vrest_widget_update` (","The VikRestaurants plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in version 1.5.2 and below. This occurs because the plugin's dashboard widget system reflects user-supplied configuration parameters in AJAX responses and unsafely processes them in the browser using jQuery, allowing unauthenticated attackers to execute arbitrary JavaScript if they can trick a logged-in administrator into clicking a malicious link.","\u002F\u002F admin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Fservice.php lines 177-181\n\t\t\t\u002F\u002F retrieve selected range text\n\t\t\tvar range = jQuery('select[name=\"\u003C?php echo $widget->getName() . '_' . $widget->getID(); ?>_range\"]')\n\t\t\t\t.find('option[value=\"' + config.range + '\"]')\n\t\t\t\t\t.text();\n\n---\n\n\u002F\u002F admin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Foccupancy.php line 102\n\t\tjQuery(widget).find('.badge.guests').html(data.guests + ' \u003Ci class=\"fas fa-male\">\u003C\u002Fi>\u003Ci class=\"fas fa-male\">\u003C\u002Fi>');","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fvikrestaurants\u002F1.5.2\u002Fadmin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Foverview\u002Ftable.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fvikrestaurants\u002F1.5.3\u002Fadmin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Foverview\u002Ftable.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fvikrestaurants\u002F1.5.2\u002Fadmin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Foverview\u002Ftable.php\t2025-12-29 12:05:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fvikrestaurants\u002F1.5.3\u002Fadmin\u002Flayouts\u002Fstatistics\u002Fwidgets\u002Foverview\u002Ftable.php\t2026-01-16 17:00:38.000000000 +0000\n@@ -71,9 +77,15 @@\n \t\u003C\u002Fdiv>\n \n \t\u003Cdiv class=\"widget-floating-box top-right\">\n+\t\t\u003Ca href=\"javascript:void(0)\" class=\"overview-change-date\" data-date=\"\u003C?php echo $this->escape($prevDate->format($config->get('dateformat'))); ?>\" aria-label=\"\u003C?php echo $this->escape('Previous'); ?>\">\n+\t\t\t\u003Ci class=\"fas fa-angle-double-left\" aria-hidden=\"true\">\u003C\u002Fi>\n+\t\t\u003C\u002Fa>\n \t\t\u003Cspan class=\"badge badge-important\">\n \t\t\t\u003C?php echo JHtml::fetch('date', $date, JText::translate('DATE_FORMAT_LC3'), date_default_timezone_get()); ?>\n \t\t\u003C\u002Fspan>\n+\t\t\u003Ca href=\"javascript:void(0)\" class=\"overview-change-date\" data-date=\"\u003C?php echo $this->escape($nextDate->format($config->get('dateformat'))); ?>\" aria-label=\"\u003C?php echo $this->escape('Next'); ?>\">\n+\t\t\t\u003Ci class=\"fas fa-angle-double-right\" aria-hidden=\"true\">\u003C\u002Fi>\n+\t\t\u003C\u002Fa>\n \t\u003C\u002Fdiv>\n \n \t\u003C!-- display rooms tables -->","The exploit targets the AJAX-driven dashboard widgets, specifically the update functionality triggered by administrative users. An attacker crafts a malicious URL pointing to the WordPress admin panel (wp-admin\u002Fadmin.php or wp-admin\u002Fadmin-ajax.php) including parameters that control the `config` array for a specific widget. For example, the `config[range]` parameter can be loaded with a payload like `\"]');alert(1);\u002F\u002F`. When an authenticated administrator visits this link, the AJAX response contains the malicious payload, which is subsequently executed by the `WIDGET_CALLBACKS` JavaScript logic because it is concatenated directly into a jQuery selector or injected into the DOM via `.html()` without proper sanitization.","gemini-3-flash-preview","2026-04-17 23:42:42","2026-04-17 23:43:32",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.5.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvikrestaurants\u002Ftags\u002F1.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvikrestaurants.1.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvikrestaurants\u002Ftags\u002F1.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvikrestaurants.1.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvikrestaurants\u002Ftags"]