WordfenceVULNRICHMENT:CVE-2024-5459CVE-2024-5459 Restaurant Menu and Food Ordering <= 2.4.16 - Missing Authorization to Menu Creation
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
6.5 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
24.0%
The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on ‘add_section’, ‘add_menu’, ‘add_menu_item’, and ‘add_menu_page’ functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create menu sections, menus, food items, and new menu pages.
CNA Affected
[
{
"vendor": "rustaurius",
"product": "Five Star Restaurant Menu and Food Ordering",
"versions": [
{
"version": "*",
"status": "affected",
"lessThanOrEqual": "2.4.16",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
]References
plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L111
plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L144
plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L62
plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L80
plugins.trac.wordpress.org/changeset/3097599/
www.wordfence.com/threat-intel/vulnerabilities/id/03f9d9bb-6a87-4da9-bbb0-65203d7250e9?source=cve
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
6.5 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
24.0%