← back
CVE-2025-15445

Restaurant Cafeteria <= 0.4.6 - Subscriber+ Arbitrary Plugin Installation/Activation

CVSS 5.4 MEDIUMEPSS 0.2%CWE-862
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected products
Unknown · Restaurant Cafeteria
public PoCs found1
cve_referencewpscan.com/vulnerability/f3f4a734-5828-4e3f-a170-28189aeda929/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/f3f4a734-5828-4e3f-a170-28189aeda929/