Skip to main content

Wpcafe

6 CVEs product

Monthly

CVE-2026-27071 CRITICAL Act Now

A missing authorization vulnerability exists in Arraytics WPCafe WordPress plugin versions up to 3.0.7, where incorrectly configured access control allows attackers to bypass authentication and authorization checks. This broken access control flaw (CWE-862) enables unauthorized users to perform actions they should not have permission to execute, potentially leading to unauthorized data access, modification, or plugin functionality abuse. The vulnerability affects all installations of WPCafe through version 3.0.7 and is tracked under ENISA EUVD ID EUVD-2026-15773 with confirmation from Patchstack vulnerability research.

Authentication Bypass Wpcafe
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2024-43135 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themewinter WPCafe allows PHP Local File Inclusion.2.28. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP Wpcafe
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-37513 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themewinter WPCafe allows Path Traversal.2.27. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Wpcafe
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-5431 HIGH This Week

The WPCafe - Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.25. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress PHP LFI Wpcafe
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2024-5427 MEDIUM PATCH This Month

The WPCafe - Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Reservation Form. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Wpcafe
NVD
CVSS 3.1
6.4
EPSS
0.4%
CVE-2024-1855 MEDIUM PATCH This Month

The WPCafe - Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Wpcafe
NVD
CVSS 3.1
5.3
EPSS
0.5%
EPSS 0% CVSS 9.1
CRITICAL Act Now

A missing authorization vulnerability exists in Arraytics WPCafe WordPress plugin versions up to 3.0.7, where incorrectly configured access control allows attackers to bypass authentication and authorization checks. This broken access control flaw (CWE-862) enables unauthorized users to perform actions they should not have permission to execute, potentially leading to unauthorized data access, modification, or plugin functionality abuse. The vulnerability affects all installations of WPCafe through version 3.0.7 and is tracked under ENISA EUVD ID EUVD-2026-15773 with confirmation from Patchstack vulnerability research.

Authentication Bypass Wpcafe
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themewinter WPCafe allows PHP Local File Inclusion.2.28. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP Wpcafe
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themewinter WPCafe allows Path Traversal.2.27. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Wpcafe
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The WPCafe - Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.25. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress PHP +2
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The WPCafe - Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Reservation Form. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Wpcafe
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The WPCafe - Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Wpcafe
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy