CVE-2025-54038

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows Cross Site Request Forgery.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.6.

Analysis

Cross-site request forgery (CSRF) in Restaurant Menu by MotoPress WordPress plugin versions up to 2.4.6 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting malicious web pages. The vulnerability affects the plugin's core request handling and lacks CVSS score data, but EPSS analysis indicates low exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been identified.

Technical Context

CSRF vulnerabilities (CWE-352) occur when web applications fail to validate that requests originate from legitimate sources, typically by omitting nonce verification or other anti-CSRF tokens. The Restaurant Menu by MotoPress plugin, distributed as a WordPress plugin (CPE context: WordPress plugins extend core WordPress functionality in shared hosting environments), processes administrative actions without confirmed token validation. WordPress plugins are loaded into the wp-admin and wp-content directories where they handle user-facing and administrative requests. The vulnerability class indicates the plugin likely lacks proper implementation of WordPress security functions like wp_verify_nonce() or wp_create_nonce() when processing form submissions or AJAX requests, allowing an attacker to craft a malicious webpage that triggers unintended plugin actions when an administrator visits it.

Affected Products

Restaurant Menu by MotoPress WordPress plugin is affected from version n/a through 2.4.6 inclusive. The plugin is distributed through the WordPress plugin repository and managed by MotoPress. Detailed information is available in the Patchstack vulnerability database entry.

Remediation

Update the Restaurant Menu by MotoPress plugin to the latest available version beyond 2.4.6, which should include CSRF token validation fixes. WordPress administrators should enable automatic plugin updates or manually check the WordPress plugin dashboard for available updates. As an interim measure, restrict plugin administration to trusted users and educate administrators to avoid clicking links from untrusted sources while logged into WordPress. Refer to the official advisory at https://patchstack.com/database/Wordpress/Plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-6-cross-site-request-forgery-csrf-vulnerability for the most current patch status and detailed mitigation guidance.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-54038 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy