Medium severity6.3NVD Advisory· Published Nov 3, 2022· Updated Apr 8, 2026

CVE-2022-2696

Description

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to authorization bypass via several AJAX actions in versions up to, and including 2.3.0 due to missing capability checks and missing nonce validation. This makes it possible for authenticated attackers with minimal permissions to perform a wide variety of actions such as modifying the plugin's settings and modifying the ordering system preferences.

Affected products

Oracle Corporation/Restaurant Menu Food Ordering System Table Reservation
cpe:2.3:a:oracle:restaurant_menu_-_food_ordering_system_-_table_reservation:*:*:*:*:*:wordpress:*:*
Range: <2.3.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvdPatchThird Party Advisory
plugins.trac.wordpress.org/browser/menu-ordering-reservations/trunk/includes/admin/class-glf-admin-screens.phpnvdThird Party Advisory
www.wordfence.com/vulnerability-advisories-continued/nvdThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/01486af8-b378-4663-a9c5-167b8580db94nvd

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000