Authorization Bypass Flaw in Quick Restaurant Menu Plugin for WordPress
CVE-2023-0555

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Quick Restaurant Menu
Vendor: CVE Published:; 27 January 2023

Summary

The Quick Restaurant Menu plugin for WordPress is susceptible to an authorization bypass vulnerability due to inadequate capability checks in its AJAX functionality. This flaw allows authenticated users with subscriber-level permissions and above to access privileged actions intended exclusively for administrators, including creating, updating, and deleting menu items. Furthermore, the plugin lacks adequate verification mechanisms for post IDs provided in its AJAX requests, potentially leading to unauthorized deletion or alteration of arbitrary posts. It is essential for users of this plugin to update to the latest version to mitigate these risks and secure their WordPress installations.

Affected Version(s)

Quick Restaurant Menu * <= 2.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/quick-restaura...

https://plugins.trac.wordpress.org/changeset/2851871/quic...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 27, 2023
Vulnerability Reserved
Jan 27, 2023

Credit

Marco Wotschka

Ivan Kuzymchak