Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Contributor authentication makes PR:L; network/low-complexity injection yields AV:N/AC:L; SQLi read access gives C:H, with no evidence of write or DoS so I:N/A:N and S:U.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Contributor SQL Injection in Restaurant Menu by MotoPress <= 2.4.10 versions.
AnalysisAI
SQL injection in the Restaurant Menu by MotoPress WordPress plugin (versions 2.4.10 and earlier) lets users holding Contributor-level accounts inject crafted SQL into backend database queries. Reported by Patchstack and classified as CWE-89, the flaw carries CVSS 8.5 and primarily threatens confidentiality, allowing a low-privileged authenticated user to read arbitrary data from the WordPress database. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with at least Contributor role (CVSS PR:L) on a site running Restaurant Menu by MotoPress version 2.4.10 or earlier; no user interaction is needed (UI:N) and the attack is fully network-reachable (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, base 8.5) indicates network-reachable, low-complexity exploitation requiring only Contributor privileges and no user interaction, with a scope change and high confidentiality impact - a realistic risk on any site that grants Contributor accounts to semi-trusted authors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or is granted a Contributor account on a WordPress site running Restaurant Menu by MotoPress 2.4.10 or earlier, then submits a crafted request to the vulnerable plugin parameter that injects SQL into a backend query. Because the attack is network-based with low complexity and no user interaction, the attacker uses UNION-based or blind techniques to extract administrator password hashes and secrets from the wp_users and wp_options tables. … |
| Remediation | No exact fixed version was included in the provided data, so update the Restaurant Menu by MotoPress plugin to the latest available release per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-10-sql-injection-vulnerability?_s_id=cve) - any version above 2.4.10 - and verify the changelog confirms the SQL injection fix before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for the Restaurant Menu by MotoPress plugin, document installed versions and count users with Contributor+ roles. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39759
GHSA-q2fm-j9qm-p92m