Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Network-reachable REST endpoints require only a subscriber account (PR:L); low complexity nonce bypass yields limited confidentiality and integrity impact with no availability consequence.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WPCafe - Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to list, create, update, delete, clone, and bulk-delete notification flow workflows that are intended to be managed only by administrators. The only protection on these endpoints is a wp_rest nonce check, which is obtainable by any logged-in user from the frontend page source.
AnalysisAI
Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account with at minimum subscriber-level access - the vulnerability cannot be exploited by unauthenticated visitors. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.4 Medium vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) is consistent with the described flaw: network-reachable REST endpoints, low attack complexity, requiring only a subscriber-level account with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WPCafe-powered restaurant WordPress site with open registration enabled. After logging in, they retrieve the wp_rest nonce embedded in the frontend page source and issue authenticated REST API DELETE requests to the FlowAPI endpoints, bulk-deleting all configured notification workflows. … |
| Remediation | Upgrade WPCafe to version 3.0.15 or later, which refactors the email notification automation layer and addresses the missing capability check (patched files visible at plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.15/core/email-automation/Service/email-notification.php). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42787
GHSA-vph4-6r3f-h2wc