CVE-2025-58647: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in Will.I.am Simple Restaurant Menu WordPress plugin, identified as CVE-2025-58647. The vulnerability affects versions through 1.2 of the Simple Restaurant Menu plugin and was disclosed on September 22, 2025. The vulnerability was discovered by security researcher Vinit Lakra (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). It has been assigned a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is categorized under CWE-79 (NVD, Patchstack).

This vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is considered low severity but could affect website integrity and user experience (Patchstack).

As there is no official fix available, the recommended mitigation strategy is to remove and replace the software with an alternative solution. It's noted that simply deactivating the software does not remove the security threat unless a virtual patch is deployed (Patchstack).