Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Responsive Food and Drink Menu WordPress plugin. It occurs because the plugin does not properly sanitize or escape user-supplied attributes in its display_pdf_menus shortcode. Authenticated users with contributor-level access or higher can inject malicious scripts into pages, which then execute whenever those pages are viewed by other users.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability allows attackers with contributor-level access or above to inject arbitrary web scripts into pages. This can lead to unauthorized actions such as stealing user session data, defacing website content, or performing actions on behalf of other users without their consent, potentially compromising the security and integrity of the affected website.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately disable or uninstall the Responsive Food and Drink Menu plugin if it is installed, as it has been closed and is no longer available for download pending a security review. Additionally, restrict contributor-level access and above to trusted users only, and monitor for any suspicious activity on pages using the display_pdf_menus shortcode. Consider applying any future patches or updates once the plugin is re-released after the security review. [1]

Useful 0 Not Useful 0