CVE-2025-54038

Vulnerability

Overview

The Restaurant Menu by MotoPress plugin for WordPress (versions up to and including 2.4.6) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from insufficient validation of requests, enabling an attacker to trick a logged-in administrator into performing actions they did not intend.

Exploitation and

Attack Surface

Exploitation requires user interaction—the victim (a privileged user) must click on a malicious link, visit a crafted page, or submit a form crafted by the attacker. The attack can be initiated remotely by an unauthenticated user, with no special privileges required beyond the victim's existing session.

Impact

Successful CSRF exploitation allows an attacker to force the victim to execute unwanted actions under their current authentication. This could include changing plugin settings, modifying restaurant menu items, or other administrative operations that could compromise the site's integrity.

Mitigation

The vulnerability has been addressed in version 2.4.7 of the plugin. Users are strongly advised to update immediately. If updating is not possible, implement additional security measures such as CSRF tokens or request origin validation. According to the advisory [1], the issue is considered low severity and unlikely to be mass-exploited, but prompt patching is recommended.