The plugin does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
* Click on "Add New" under Restaurant Menu Plugin.
* Give any random title like Testing_XSS
* All fields under Nutrition Facts and Portion Size are susceptible to XSS
"><script>alert(1)</script>
* XSS will trigger on visits to Menu Items in wp-admin as well as on the Menu Item's public pages.