Skip to main content

CVE-2025-54038

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-07-16 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:42 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows Cross Site Request Forgery.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.6.

AnalysisAI

Cross-site request forgery (CSRF) in Restaurant Menu by MotoPress WordPress plugin versions up to 2.4.6 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting malicious web pages. The vulnerability affects the plugin's core request handling and lacks CVSS score data, but EPSS analysis indicates low exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been identified.

Technical ContextAI

CSRF vulnerabilities (CWE-352) occur when web applications fail to validate that requests originate from legitimate sources, typically by omitting nonce verification or other anti-CSRF tokens. The Restaurant Menu by MotoPress plugin, distributed as a WordPress plugin (CPE context: WordPress plugins extend core WordPress functionality in shared hosting environments), processes administrative actions without confirmed token validation. WordPress plugins are loaded into the wp-admin and wp-content directories where they handle user-facing and administrative requests. The vulnerability class indicates the plugin likely lacks proper implementation of WordPress security functions like wp_verify_nonce() or wp_create_nonce() when processing form submissions or AJAX requests, allowing an attacker to craft a malicious webpage that triggers unintended plugin actions when an administrator visits it.

Affected ProductsAI

Restaurant Menu by MotoPress WordPress plugin is affected from version n/a through 2.4.6 inclusive. The plugin is distributed through the WordPress plugin repository and managed by MotoPress. Detailed information is available in the Patchstack vulnerability database entry.

RemediationAI

Update the Restaurant Menu by MotoPress plugin to the latest available version beyond 2.4.6, which should include CSRF token validation fixes. WordPress administrators should enable automatic plugin updates or manually check the WordPress plugin dashboard for available updates. As an interim measure, restrict plugin administration to trusted users and educate administrators to avoid clicking links from untrusted sources while logged into WordPress. Refer to the official advisory at https://patchstack.com/database/Wordpress/Plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-6-cross-site-request-forgery-csrf-vulnerability for the most current patch status and detailed mitigation guidance.

Share

CVE-2025-54038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy