Skip to main content

Restaurant Menu MotoPress EUVDEUVD-2025-210352

| CVE-2025-63078 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-4fvg-3xvw-5r9x
4.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Requires authenticated subscriber session (PR:L, AV:N); no confidentiality or availability impact confirmed; scope unchanged and complexity low.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:30 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.

AnalysisAI

Broken access control in the Restaurant Menu by MotoPress WordPress plugin (versions <= 2.4.11) allows authenticated users with subscriber-level privileges to perform actions reserved for higher-privileged roles. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated caller holds the required capability before executing sensitive operations, enabling low-privilege users to manipulate menu data or plugin functionality beyond their intended scope. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

Technical ContextAI

The affected software is a WordPress plugin - Restaurant Menu by MotoPress - which provides restaurant operators a front-end and admin interface for managing menus. WordPress plugins rely on capability checks (e.g., current_user_can()) and nonce verification to enforce authorization. CWE-862 (Missing Authorization) indicates that one or more plugin endpoints or AJAX handlers execute privileged operations without verifying the caller's role or capability. The CVSS vector (PR:L) confirms that exploitation requires at least subscriber-level authentication, which is the lowest registered WordPress user tier. The affected CPE is inferred as the MotoPress restaurant menu plugin <=2.4.11 on WordPress; no CPE string was explicitly provided in source data.

RemediationAI

Update the Restaurant Menu by MotoPress plugin to a version released after 2.4.11. The Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-11-broken-access-control-vulnerability?_s_id=cve) is the authoritative source for the specific patched version, which was not explicitly stated in the provided data. As a compensating control for sites unable to update immediately, disabling user registration (Settings > General > uncheck 'Anyone can register' in WordPress) removes the ability for untrusted parties to obtain the subscriber role required for exploitation - note this prevents new user sign-ups as a trade-off. Additionally, restricting the plugin's AJAX endpoints via WAF rules targeting the plugin's action hooks may reduce exposure, though specific action names are not confirmed in the available data.

Share

EUVD-2025-210352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy