Skip to main content

WPCafe CVE-2026-11818

| EUVDEUVD-2026-42787 MEDIUM
Missing Authorization (CWE-862)
2026-07-10 Wordfence GHSA-vph4-6r3f-h2wc
5.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-reachable REST endpoints require only a subscriber account (PR:L); low complexity nonce bypass yields limited confidentiality and integrity impact with no availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 04:28 vuln.today
CVE Published
Jul 10, 2026 - 03:31 nvd
MEDIUM 5.4

DescriptionCVE.org

The WPCafe - Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to list, create, update, delete, clone, and bulk-delete notification flow workflows that are intended to be managed only by administrators. The only protection on these endpoints is a wp_rest nonce check, which is obtainable by any logged-in user from the frontend page source.

AnalysisAI

Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber-level WordPress account
Delivery
Log in and extract wp_rest nonce from frontend page source
Exploit
Identify notification flow REST API endpoints in WPCafe
Execution
Issue authenticated REST API requests to FlowAPI routes
Persist
Manipulate, delete, or bulk-delete admin notification workflows
Impact
Disrupt restaurant order and booking email automation

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account with at minimum subscriber-level access - the vulnerability cannot be exploited by unauthenticated visitors. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.4 Medium vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) is consistent with the described flaw: network-reachable REST endpoints, low attack complexity, requiring only a subscriber-level account with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WPCafe-powered restaurant WordPress site with open registration enabled. After logging in, they retrieve the wp_rest nonce embedded in the frontend page source and issue authenticated REST API DELETE requests to the FlowAPI endpoints, bulk-deleting all configured notification workflows. …
Remediation Upgrade WPCafe to version 3.0.15 or later, which refactors the email notification automation layer and addresses the missing capability check (patched files visible at plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.15/core/email-automation/Service/email-notification.php). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy