Arbitrary Code Execution in Food and Drink Menu Plugin for WordPress
CVE-2020-29045

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Five Star Restaurant Menu
Vendor: CVE Published:; 11 March 2021

Summary

The Food and Drink Menu plugin for WordPress, up to version 2.2.0, contains a security flaw that allows remote attackers to execute arbitrary code. This vulnerability arises from the insecure unserialize operation on the 'fdm_cart' cookie within the 'load_cart_from_cookie' function found in 'includes/class-cart-manager.php'. An attacker could exploit this flaw to manipulate the plugin's behavior, potentially leading to significant security breaches.

References

https://wordpress.org/plugins/food-and-drink-menu/#develo...

x_refsource_MISC

https://appcheck-ng.com/cve-2020-29045/

x_refsource_MISC

EPSS Score

35% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 11, 2021
Vulnerability Reserved
Nov 24, 2020