CVE-2025-31877

Vulnerability

The RestroPress plugin for WordPress (all versions up to and including 3.2.8) contains a missing authorization vulnerability [1]. The plugin fails to properly check user permissions for certain actions, allowing exploitation of incorrectly configured access control security levels. This affects the restropress component, which is an online food ordering system [1].

Exploitation

To exploit this vulnerability, an attacker must have network access to a WordPress site running a vulnerable version of RestroPress. No authentication is required if the access control security levels are misconfigured, though the exact requirement varies based on the site configuration. The attacker can trigger the missing authorization flaw to perform unauthorized actions [1].

Impact

Successful exploitation could allow an attacker to bypass intended access controls, potentially leading to unauthorized modification of data or settings. The risk is classified as medium severity with a CVSS v3 score of 4.3. The CIA impact is limited but could disrupt the ordering system or access restricted features [1].

Mitigation

Users should update RestroPress to version 3.2.8.8.1 or later, which was released after the vulnerability disclosure (the plugin was last updated 2026-05-21) [1]. Review and properly configure the plugin's access control settings to ensure tight permissions. No workaround is explicitly provided, but restricting network access to the admin area may reduce exposure [1].