CVE-2025-29014 Overview
CVE-2025-29014 is a reflected Cross-Site Scripting (XSS) vulnerability in the ZoomIt FoodMenu WordPress plugin (also distributed as dzs-restaurantmenu). The flaw stems from improper neutralization of user-controlled input during web page generation [CWE-79]. Affected versions include FoodMenu through version 1.20. An attacker can craft a malicious URL that, when clicked by an authenticated or anonymous user, executes arbitrary JavaScript in the victim's browser within the context of the vulnerable site.
Critical Impact
Successful exploitation enables session hijacking, credential theft, administrative action forgery, and delivery of further client-side payloads against WordPress users who visit a crafted link.
Affected Products
- ZoomIt FoodMenu WordPress plugin, versions through 1.20
- WordPress sites using the dzs-restaurantmenu package
- Any WordPress deployment that exposes the vulnerable FoodMenu endpoints to untrusted users
Discovery Timeline
- 2025-08-14 - CVE-2025-29014 published to the National Vulnerability Database (NVD)
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2025-29014
Vulnerability Analysis
The vulnerability is a reflected XSS issue in the FoodMenu plugin. Input received through HTTP request parameters is echoed back into the rendered HTML response without proper encoding or sanitization. An attacker constructs a URL that embeds JavaScript inside a parameter that the plugin reflects into the DOM. When a victim follows the link, the browser parses the attacker-controlled markup and executes the script in the origin of the WordPress site.
Because the CVSS vector indicates a scope change with user interaction, the injected script can act against resources beyond the vulnerable component, including the WordPress administrative interface if an authenticated administrator triggers the payload. Exploit Prediction Scoring System (EPSS) data places exploitation probability low, but reflected XSS in WordPress plugins is commonly weaponized through phishing campaigns.
Root Cause
The plugin fails to apply output encoding (for example, esc_html(), esc_attr(), or wp_kses()) when rendering request parameters back to the page. WordPress provides context-aware escaping functions, but the affected FoodMenu code paths emit attacker-controlled values directly into HTML, attribute, or JavaScript contexts. This neutralization gap is the canonical pattern described by [CWE-79].
Attack Vector
The attack is delivered over the network and requires the victim to interact with a crafted link. A typical exploitation flow involves an attacker hosting or distributing a URL pointing to a vulnerable FoodMenu endpoint with a malicious payload embedded in a reflected parameter. The victim's browser renders the response, executes the script, and the attacker can exfiltrate cookies, session tokens, or issue authenticated requests to wp-admin on behalf of the user.
No verified public proof-of-concept code is available. See the Patchstack advisory for further technical context.
Detection Methods for CVE-2025-29014
Indicators of Compromise
- HTTP requests to FoodMenu plugin endpoints containing characters such as <script>, onerror=, onload=, or URL-encoded equivalents (%3Cscript%3E).
- Referrer headers pointing to external phishing domains followed by requests to wp-admin pages.
- Unexpected outbound requests from administrator browsers to attacker-controlled hosts following a FoodMenu page visit.
Detection Strategies
- Inspect web server access logs for query string parameters delivered to FoodMenu routes that contain HTML or JavaScript syntax.
- Deploy a Web Application Firewall (WAF) rule that flags reflected XSS payloads against the dzs-restaurantmenu URL paths.
- Correlate browser-side Content Security Policy (CSP) violation reports with WordPress access logs to surface successful reflections.
Monitoring Recommendations
- Enable verbose logging on the WordPress reverse proxy and forward logs to a centralized analytics platform for query-string inspection.
- Monitor administrator session activity for anomalies such as new user creation, plugin installation, or option changes that follow inbound link clicks.
- Track plugin version inventory across WordPress sites and alert on installations of FoodMenu at version 1.20 or earlier.
How to Mitigate CVE-2025-29014
Immediate Actions Required
- Upgrade the ZoomIt FoodMenu plugin to a release later than 1.20 once the vendor publishes a fixed version.
- If no patched version is available, deactivate and remove the FoodMenu plugin from all WordPress installations.
- Force a password reset and session invalidation for administrators who may have clicked untrusted links referencing the site.
Patch Information
Refer to the Patchstack WordPress vulnerability database entry for the latest patch availability and vendor guidance. The advisory indicates the issue affects FoodMenu from initial release through version 1.20.
Workarounds
- Apply a WAF virtual patch that blocks requests to FoodMenu endpoints containing HTML special characters in query parameters.
- Enforce a strict Content Security Policy that disallows inline script execution to reduce the impact of reflected payloads.
- Restrict access to vulnerable FoodMenu URLs at the reverse proxy until the plugin is updated or removed.
# Example WAF rule (ModSecurity) to block reflected XSS payloads on FoodMenu endpoints
SecRule REQUEST_URI "@contains /wp-content/plugins/dzs-restaurantmenu/" \
"id:1029014,phase:2,deny,status:403,log,\
msg:'Blocked potential XSS targeting FoodMenu CVE-2025-29014',\
chain"
SecRule ARGS "@rx (?i)(<script|onerror=|onload=|javascript:)" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
