CVE-2025-11496 – This stored XSS vulnerability in the Five Star ... (How to Fix)

Q: What is the severity of CVE-2025-11496?

CVE-2025-11496 has a CVSS score of 6.1 (MEDIUM). This stored XSS vulnerability in the Five Star Restaurant Reservations WordPress plugin allows unauthenticated attackers to inject malicious scripts via the 'rtb-name' parameter. The scripts execute when users view compromised reservation pages, potentially affecting all WordPress sites using vulnerable plugin versions.

📋 TL;DR

This stored XSS vulnerability in the Five Star Restaurant Reservations WordPress plugin allows unauthenticated attackers to inject malicious scripts via the 'rtb-name' parameter. The scripts execute when users view compromised reservation pages, potentially affecting all WordPress sites using vulnerable plugin versions.

💻 Affected Systems

Products:

Five Star Restaurant Reservations - WordPress Booking Plugin

Versions: All versions up to and including 2.7.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, redirect visitors to phishing sites, or display unwanted advertisements.

🟢

If Mitigated

With proper WAF rules and input validation, the risk reduces to minimal impact with potential script injection but limited execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple payload injection via reservation form fields requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.6 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3408446%40restaurant-reservations&new=3408446%40restaurant-reservations&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Five Star Restaurant Reservations'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.7.6+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate restaurant-reservations

WAF Rule Implementation

all

Add rule to block malicious input in rtb-name parameter

Modify WAF configuration to sanitize/block script tags in reservation form submissions

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to limit script execution
Use web application firewall to filter malicious input in reservation forms

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins

Check Version:

wp plugin get restaurant-reservations --field=version

Verify Fix Applied:

Verify plugin version is 2.7.6 or higher and test reservation form for script injection

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to reservation endpoints with script tags in parameters
Multiple failed reservation attempts with encoded payloads

Network Indicators:

HTTP requests containing <script> tags in rtb-name parameter
Unusual outbound connections from reservation pages

SIEM Query:

source="wordpress.log" AND "rtb-name" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2025-11496

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.12% exploit probability (30.6th percentile)

Published: December 21, 2025

Last Updated: December 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11496, you might also want to check these: