CVE-2025-15445

The Restaurant Cafeteria WordPress theme through version 0.4.6 exposes insecure admin-ajax actions that lack both nonce and capability checks [1]. This design flaw means that any logged-in user, even with the lowest subscriber role, can trigger these privileged operations without proper authorization [1].

An attacker who is already authenticated as a subscriber can exploit these unprotected AJAX handlers to perform two critical actions. First, they can install and activate a plugin from a user-supplied URL, which leads to arbitrary PHP code execution on the server [1]. Second, they can import demo content that overwrites site configuration, including theme modifications, pages, menus, and front page settings [1].

The impact is severe: a low-priv> a subscriber-level attacker can achieve full remote code execution by installing a malicious plugin, and can also deface or reconfigure the entire site by importing arbitrary. The vulnerability is particularly dangerous because it requires only a low-privilege account, which is easy to obtain on many WordPress sites [1].

As of the publication date, no fix is available for this vulnerability [1]. Site administrators should consider disabling the theme or restricting subscriber capabilities until a patched version is released [1].