EUVD-2025-18509CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Food Menu allows Using Malicious Files. This issue affects FW Food Menu : from n/a through 6.0.0.
Analysis
Critical unrestricted file upload vulnerability in Fastw3b LLC's FW Food Menu plugin (versions up to 6.0.0) that allows unauthenticated remote attackers to upload and execute malicious files, potentially achieving complete system compromise. With a perfect CVSS 10.0 score, zero attack complexity, no privilege requirements, and network accessibility, this vulnerability poses immediate risk to all exposed installations. The vulnerability enables arbitrary code execution due to insufficient file type validation, affecting the confidentiality, integrity, and availability of affected systems.
Technical Context
This vulnerability exploits inadequate input validation in file upload mechanisms, specifically CWE-434 (Unrestricted Upload of File with Dangerous Type). The FW Food Menu plugin, a WordPress/web-based food management system by Fastw3b LLC, fails to properly validate uploaded file extensions and MIME types before storing files on the server. Attackers can bypass client-side and weak server-side restrictions by uploading executable files (PHP, ASP, JSP, etc.) disguised with benign extensions or by exploiting MIME type detection weaknesses. The vulnerability affects all versions from an unspecified baseline through version 6.0.0, suggesting the flaw has existed across multiple releases without adequate security controls. The plugin likely processes uploaded files in a web-accessible directory without proper execution restrictions, allowing direct instantiation of uploaded malicious code.
Affected Products
FW Food Menu plugin by Fastw3b LLC: Affected versions include all releases from an unspecified baseline through and including version 6.0.0. The CPE designation would be: cpe:2.3:a:fastw3b:fw_food_menu:*:*:*:*:*:*:*:* (versions 0.0.0 through 6.0.0). No explicit patch version (e.g., 6.0.1) is referenced in the provided data, suggesting either: (a) no patch has been released at the time of CVE assignment, or (b) remediation details are pending publication. Users of FW Food Menu on WordPress, Joomla, or standalone PHP environments are affected. Installations with internet-facing upload endpoints are at highest risk. Exact vendor advisory references are not provided in the source data; however, advisories should be checked at Fastw3b's official security channels, WordPress.org plugin repository (if published there), and common vulnerability databases.
Remediation
Immediate actions: (1) Disable or remove the FW Food Menu plugin immediately if version 6.0.0 or earlier is installed until a patched version is confirmed available. (2) Check Fastw3b LLC's official website and WordPress.org plugin repository for version 6.0.1 or later—update to the latest patched version as soon as available. (3) If patched versions are unavailable, implement compensating controls: restrict upload directory execution permissions via web server configuration (Apache .htaccess or Nginx configuration) to prevent PHP/script execution in upload folders. (4) Enable strict file type validation at the web server level, whitelisting only expected file types (e.g., .jpg, .png for images). (5) Implement file upload size limits and virus scanning for uploaded content. (6) Review server logs and uploaded files for evidence of malicious uploads or execution. (7) Monitor Fastw3b's security advisories and the WordPress plugin repository for official patch availability and apply immediately upon release. (8) If applicable, isolate affected systems pending patching.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today