Skip to main content

Restaurant Menu EUVDEUVD-2026-39759

| CVE-2026-57644 HIGH
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-q2fm-j9qm-p92m
8.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
6.5 MEDIUM

Contributor authentication makes PR:L; network/low-complexity injection yields AV:N/AC:L; SQLi read access gives C:H, with no evidence of write or DoS so I:N/A:N and S:U.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:48 vuln.today

DescriptionCVE.org

Contributor SQL Injection in Restaurant Menu by MotoPress <= 2.4.10 versions.

AnalysisAI

SQL injection in the Restaurant Menu by MotoPress WordPress plugin (versions 2.4.10 and earlier) lets users holding Contributor-level accounts inject crafted SQL into backend database queries. Reported by Patchstack and classified as CWE-89, the flaw carries CVSS 8.5 and primarily threatens confidentiality, allowing a low-privileged authenticated user to read arbitrary data from the WordPress database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor-level account
Exploit
Send crafted request to plugin endpoint
Execution
Inject SQL into backend query
Impact
Extract user hashes and secrets from database

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at least Contributor role (CVSS PR:L) on a site running Restaurant Menu by MotoPress version 2.4.10 or earlier; no user interaction is needed (UI:N) and the attack is fully network-reachable (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, base 8.5) indicates network-reachable, low-complexity exploitation requiring only Contributor privileges and no user interaction, with a scope change and high confidentiality impact - a realistic risk on any site that grants Contributor accounts to semi-trusted authors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or is granted a Contributor account on a WordPress site running Restaurant Menu by MotoPress 2.4.10 or earlier, then submits a crafted request to the vulnerable plugin parameter that injects SQL into a backend query. Because the attack is network-based with low complexity and no user interaction, the attacker uses UNION-based or blind techniques to extract administrator password hashes and secrets from the wp_users and wp_options tables. …
Remediation No exact fixed version was included in the provided data, so update the Restaurant Menu by MotoPress plugin to the latest available release per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-10-sql-injection-vulnerability?_s_id=cve) - any version above 2.4.10 - and verify the changelog confirms the SQL injection fix before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for the Restaurant Menu by MotoPress plugin, document installed versions and count users with Contributor+ roles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39759 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy