CVE-2025-48323: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in Md Abunaser Khan's Advance Food Menu WordPress plugin. The vulnerability, tracked as CVE-2025-48323, was discovered on August 22, 2025, and affects versions through 1.0. This stored XSS vulnerability allows authenticated users with high privileges to inject malicious scripts into web pages (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based, with low attack complexity, requiring high privileges and user interaction. The vulnerability has been classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected pages (Patchstack).

No official fix is currently available for this vulnerability. As the software appears to be abandoned (last updated over a year ago), it is recommended to urgently consider removing and replacing the plugin with an alternative solution (Patchstack).