Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Food Menu allows Using Malicious Files. This issue affects FW Food Menu : from n/a through 6.0.0.
AnalysisAI
Remote arbitrary file upload in FW Food Menu WordPress plugin through version 6.0.0 allows unauthenticated attackers to upload executable files without restriction, leading to complete server compromise. The CVSS 10.0 Critical rating reflects network-accessible unauthenticated exploitation with scope change, enabling full system control. EPSS probability is low (0.10%, 29th percentile) indicating limited observed exploitation activity, though no public exploit identified at time of analysis. Patchstack-reported vulnerability affects installations using this restaurant menu management plugin.
Technical ContextAI
CWE-434 (Unrestricted Upload of File with Dangerous Type) represents insufficient validation of uploaded file types, extensions, or content. The FW Food Menu WordPress plugin, designed for restaurant menu management, fails to implement proper file upload restrictions. The CVSS vector indicates complete compromise potential (C:H/I:H/A:H) with scope change (S:C), suggesting the vulnerability breaks out of the plugin's security boundary to affect the underlying WordPress installation or web server. WordPress plugins commonly handle file uploads for menu images or documents but require strict validation of MIME types, file extensions, and content inspection to prevent PHP shell uploads. The network attack vector (AV:N) with no complexity (AC:L) indicates the vulnerable upload endpoint is directly accessible via HTTP/HTTPS without requiring special conditions like race conditions or specific timing.
RemediationAI
Update FW Food Menu plugin to version greater than 6.0.0 if vendor has released a patched version post-discovery; check WordPress plugin repository or vendor site for latest secure release. Upstream fix available (Patchstack reported to vendor); released patched version not independently confirmed from available data at time of analysis. If no patched version exists, immediately deactivate and remove the FW Food Menu plugin until vendor releases security update. Compensating controls if plugin must remain active: restrict wp-admin access via IP whitelist to prevent unauthenticated access to plugin endpoints (note: may not be effective if upload endpoint is public-facing); implement web application firewall rules blocking POST requests with executable file extensions (.php, .phtml, .php3, .php4, .php5, .phar) to plugin directories (trade-off: may break legitimate plugin file management features); configure web server to deny execution of PHP files in wp-content/plugins/fw-food-menu/uploads or similar directories via .htaccess or server config (preferred mitigation but requires server access). Monitor web server logs for suspicious POST requests to plugin paths and unexpected file creation in plugin directories. Consult Patchstack advisory https://patchstack.com/database/wordpress/plugin/fw-food-menu/vulnerability/wordpress-fw-food-menu-6-0-0-arbitrary-file-upload-vulnerability for vendor-specific remediation guidance.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18509