CVE-2025-48319: 
WordPress vulnerability analysis and mitigation

The Mesa Mesa Reservation Widget WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-48319. This security issue affects versions up to and including 1.0.0 of the plugin. The vulnerability was discovered by Vinit Lakra and publicly disclosed on August 23, 2025 (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The issue stems from insufficient input sanitization and output escaping in the plugin (Patchstack).

This vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. The impact is particularly relevant for multi-site installations and installations where unfiltered_html has been disabled (WPScan).

Currently, there is no official fix available for this vulnerability. As the software appears to be abandoned, users are strongly advised to remove and replace the plugin with a secure alternative (Patchstack).