CVE-2024-13415

Vulnerability

Overview

The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress contains a missing capability check in the response() function located in Settings.php [1]. This function handles AJAX requests to update plugin settings but only verifies a nonce, failing to enforce any user capability or role check. As a result, any authenticated user, including those with Subscriber-level access, can invoke the function.

Exploitation

An attacker with a valid WordPress account (Subscriber or above) can craft a malicious AJAX request targeting the response() endpoint. The request must include a valid nonce, which can be obtained from the plugin's admin pages or by other means. Once the request is processed, the attacker can supply arbitrary settings data that will be saved to the plugin's options.

Impact

Successful exploitation allows the attacker to modify the plugin's configuration settings. This could alter the restaurant menu display, online ordering behavior, or other critical options, potentially leading to defacement, service disruption, or unintended changes to the site's functionality.

Mitigation

The vendor has addressed this issue in a patched version of the plugin (likely 5.1.5 or later). Users are strongly advised to update to the latest version immediately. No workarounds are available for unpatched installations.