Skip to main content

FW Food Menu CVE-2025-49447

| EUVDEUVD-2025-18509 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-06-17 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 28, 2026 - 20:01 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18509
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 15:15 nvd
CRITICAL 10.0

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Food Menu allows Using Malicious Files. This issue affects FW Food Menu : from n/a through 6.0.0.

AnalysisAI

Remote arbitrary file upload in FW Food Menu WordPress plugin through version 6.0.0 allows unauthenticated attackers to upload executable files without restriction, leading to complete server compromise. The CVSS 10.0 Critical rating reflects network-accessible unauthenticated exploitation with scope change, enabling full system control. EPSS probability is low (0.10%, 29th percentile) indicating limited observed exploitation activity, though no public exploit identified at time of analysis. Patchstack-reported vulnerability affects installations using this restaurant menu management plugin.

Technical ContextAI

CWE-434 (Unrestricted Upload of File with Dangerous Type) represents insufficient validation of uploaded file types, extensions, or content. The FW Food Menu WordPress plugin, designed for restaurant menu management, fails to implement proper file upload restrictions. The CVSS vector indicates complete compromise potential (C:H/I:H/A:H) with scope change (S:C), suggesting the vulnerability breaks out of the plugin's security boundary to affect the underlying WordPress installation or web server. WordPress plugins commonly handle file uploads for menu images or documents but require strict validation of MIME types, file extensions, and content inspection to prevent PHP shell uploads. The network attack vector (AV:N) with no complexity (AC:L) indicates the vulnerable upload endpoint is directly accessible via HTTP/HTTPS without requiring special conditions like race conditions or specific timing.

RemediationAI

Update FW Food Menu plugin to version greater than 6.0.0 if vendor has released a patched version post-discovery; check WordPress plugin repository or vendor site for latest secure release. Upstream fix available (Patchstack reported to vendor); released patched version not independently confirmed from available data at time of analysis. If no patched version exists, immediately deactivate and remove the FW Food Menu plugin until vendor releases security update. Compensating controls if plugin must remain active: restrict wp-admin access via IP whitelist to prevent unauthenticated access to plugin endpoints (note: may not be effective if upload endpoint is public-facing); implement web application firewall rules blocking POST requests with executable file extensions (.php, .phtml, .php3, .php4, .php5, .phar) to plugin directories (trade-off: may break legitimate plugin file management features); configure web server to deny execution of PHP files in wp-content/plugins/fw-food-menu/uploads or similar directories via .htaccess or server config (preferred mitigation but requires server access). Monitor web server logs for suspicious POST requests to plugin paths and unexpected file creation in plugin directories. Consult Patchstack advisory https://patchstack.com/database/wordpress/plugin/fw-food-menu/vulnerability/wordpress-fw-food-menu-6-0-0-arbitrary-file-upload-vulnerability for vendor-specific remediation guidance.

Share

CVE-2025-49447 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy