Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Ex-Themes WP Food wp-food allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Food: from n/a through < 2.7.1.
AnalysisAI
Inadequate access control in WP Food plugin versions below 2.7.1 allows unauthenticated remote attackers to modify data without proper authorization checks. This vulnerability affects WordPress installations using the vulnerable WP Food plugin and could enable attackers to alter plugin functionality or data integrity. No patch is currently available for this issue.
Technical ContextAI
This vulnerability is rooted in CWE-862 (Missing Authorization), which occurs when the WP Food plugin fails to properly enforce access control checks before allowing sensitive operations. The plugin, which operates within the WordPress ecosystem (CPE identifier would be cpe:2.3:a:ex-themes:wp_food), lacks adequate authorization validation in one or more endpoints or functions, allowing unauthenticated users to perform actions that should be restricted to authenticated administrators or specific user roles. The vulnerability likely affects WordPress REST API endpoints or form handlers that do not verify user capabilities before processing requests, a common misconfiguration in WordPress plugins that extends WordPress's permission model inconsistently.
RemediationAI
Upgrade the WP Food plugin to version 2.7.1 or later immediately through the WordPress admin dashboard or the official plugin repository. This update addresses the authorization bypass by implementing proper access control checks. Until patching is feasible, administrators should enforce role-based access controls through WordPress permission management, restrict API access via Web Application Firewall rules to trusted IP ranges only, implement content integrity monitoring to detect unauthorized modifications, and review audit logs for any suspicious unauthorized requests. If immediate patching is not possible, consider temporarily disabling the plugin until the update can be applied.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11983