Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Requires authenticated subscriber session (PR:L, AV:N); no confidentiality or availability impact confirmed; scope unchanged and complexity low.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.
AnalysisAI
Broken access control in the Restaurant Menu by MotoPress WordPress plugin (versions <= 2.4.11) allows authenticated users with subscriber-level privileges to perform actions reserved for higher-privileged roles. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated caller holds the required capability before executing sensitive operations, enabling low-privilege users to manipulate menu data or plugin functionality beyond their intended scope. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.
Technical ContextAI
The affected software is a WordPress plugin - Restaurant Menu by MotoPress - which provides restaurant operators a front-end and admin interface for managing menus. WordPress plugins rely on capability checks (e.g., current_user_can()) and nonce verification to enforce authorization. CWE-862 (Missing Authorization) indicates that one or more plugin endpoints or AJAX handlers execute privileged operations without verifying the caller's role or capability. The CVSS vector (PR:L) confirms that exploitation requires at least subscriber-level authentication, which is the lowest registered WordPress user tier. The affected CPE is inferred as the MotoPress restaurant menu plugin <=2.4.11 on WordPress; no CPE string was explicitly provided in source data.
RemediationAI
Update the Restaurant Menu by MotoPress plugin to a version released after 2.4.11. The Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-11-broken-access-control-vulnerability?_s_id=cve) is the authoritative source for the specific patched version, which was not explicitly stated in the provided data. As a compensating control for sites unable to update immediately, disabling user registration (Settings > General > uncheck 'Anyone can register' in WordPress) removes the ability for untrusted parties to obtain the subscriber role required for exploitation - note this prevents new user sign-ups as a trade-off. Additionally, restricting the plugin's AJAX endpoints via WAF rules targeting the plugin's action hooks may reduce exposure, though specific action names are not confirmed in the available data.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210352
GHSA-4fvg-3xvw-5r9x