What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gslauraspeck Mesa Mesa Reservation Widget mesa-mesa-reservation-widget allows Stored XSS.This issue affects Mesa Mesa Reservation Widget: from n/a through <= 1.0.0.
Explanation of Vulnerability in Simple Terms
02Summary
The Mesa Mesa Reservation Widget contains a cross-site scripting (XSS) vulnerability that allows an authenticated administrator to inject malicious scripts. When a victim visits an affected page, the injected code executes in their browser, potentially compromising their session or stealing data. The vulnerability affects all versions up to and including 1.0.0.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in a victim's browser when they view the widget.
Potential impact on your site
04Site Impact
An admin account compromise could allow script injection affecting all site visitors who view the widget.
Conditions required to exploit
05Prerequisites
Attacker must have administrator privileges and the victim must visit a page containing the widget.
Key dates
06Disclosure timeline
August 28, 2025
CVE published
April 28, 2026
Record updated