CVE-2025-14112: Snillrik Restaurant Plugin XSS Flaw

CVE-2025-14112 Overview

The Snillrik Restaurant plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the menu_style shortcode attribute. All versions up to and including 2.2.1 are affected due to insufficient input sanitization and output escaping. This vulnerability enables authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which execute whenever a user visits an injected page.

Critical Impact

Authenticated attackers can inject persistent malicious scripts that execute in the context of any user visiting affected pages, potentially leading to session hijacking, credential theft, or further site compromise.

Affected Products

• Snillrik Restaurant Menu Plugin for WordPress versions up to and including 2.2.1
• WordPress sites using vulnerable versions of the Snillrik Restaurant plugin
• Any WordPress installation with Contributor-level or higher user accounts and the vulnerable plugin installed

Discovery Timeline

• 2026-01-07 - CVE CVE-2025-14112 published to NVD
• 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-14112

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability (CWE-79) exists within the shortcode processing functionality of the Snillrik Restaurant plugin. The menu_style shortcode attribute fails to properly sanitize user-supplied input before rendering it in the page output. When a user with at least Contributor-level privileges creates or edits content containing a malicious shortcode, the injected script is stored in the WordPress database and subsequently executed in the browsers of all users who view the affected page.

The attack requires network access and authenticated access at the Contributor level or above, but once the payload is stored, it affects all visitors to the compromised page without requiring any user interaction. This scope change—where the attacker's input affects users in a different security context—increases the potential impact of the vulnerability.

Root Cause

The root cause of this vulnerability is insufficient input sanitization and output escaping in the shortcode handler located in the shortcodes.php file at line 42. The plugin fails to validate and sanitize the menu_style attribute value before including it in the HTML output, allowing attackers to break out of the intended context and inject executable JavaScript code.

Attack Vector

An authenticated attacker with Contributor-level access can craft a malicious shortcode containing JavaScript payloads within the menu_style attribute. When the content is saved and published (or submitted for review), the malicious script is stored in the database. The payload executes whenever any user—including administrators—views the page containing the injected shortcode.

The attack flow involves:

1. Attacker obtains Contributor-level (or higher) access to the WordPress site
2. Attacker creates or edits a post/page using the Snillrik Restaurant shortcode with a malicious menu_style value
3. The payload is stored in the WordPress database without proper sanitization
4. Any visitor to the affected page triggers execution of the injected script in their browser context

For technical implementation details, refer to the WordPress Plugin Source Code where the vulnerable code resides.

Detection Methods for CVE-2025-14112

Indicators of Compromise

• Unusual or unexpected JavaScript code within post or page content containing Snillrik Restaurant shortcodes
• Unexpected menu_style attribute values containing script tags, event handlers, or encoded payloads
• User reports of browser security warnings or unexpected behavior when viewing restaurant menu pages
• Evidence of data exfiltration attempts in network logs originating from pages using the plugin

Detection Strategies

• Review WordPress database entries for posts and pages containing Snillrik Restaurant shortcodes with suspicious menu_style attribute values
• Implement Content Security Policy (CSP) headers to detect and prevent inline script execution
• Monitor WordPress audit logs for content modifications made by Contributor-level accounts that include shortcode usage
• Use web application firewall (WAF) rules to detect XSS patterns in shortcode attributes

Monitoring Recommendations

• Enable detailed logging for all post and page modifications, particularly from accounts with Contributor-level access
• Implement real-time alerting for content changes that include potentially malicious patterns in shortcode attributes
• Regularly scan stored content for XSS indicators using WordPress security plugins
• Monitor browser-side errors and CSP violation reports that may indicate attempted script injection

How to Mitigate CVE-2025-14112

Immediate Actions Required

• Update the Snillrik Restaurant plugin to the latest patched version if available
• Review and audit all existing content using Snillrik Restaurant shortcodes for malicious menu_style values
• Temporarily disable the plugin if no patch is available and the functionality is not critical
• Review and restrict Contributor-level access to trusted users only until the vulnerability is addressed

Patch Information

Consult the Wordfence Vulnerability Report for the latest patch status and remediation guidance. Check the WordPress plugin repository for updates to the Snillrik Restaurant plugin that address this XSS vulnerability.

Workarounds

• Implement strict Content Security Policy (CSP) headers to mitigate the impact of XSS attacks by restricting script execution
• Restrict or remove Contributor-level access for untrusted users until the plugin is patched
• Use a Web Application Firewall (WAF) with XSS detection rules to filter malicious input
• Consider using alternative restaurant menu plugins that do not have known vulnerabilities

# Example CSP header configuration for Apache to mitigate XSS impact
# Add to .htaccess file
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"