The plugin contains an unrestricted file upload vulnerability that fails to validate the type of uploaded files. An attacker can supply files with dangerous content, such as PHP scripts, and place them in a web‑accessible directory. If the upload succeeds, the attacker can reach and execute the script, giving full control over the compromised WordPress installation. The flaw maps to CWE‑434: Unrestricted Upload of File with Dangerous Type and has a CVSS v3 base score of 10, indicating a critical severity that allows remote code execution with no additional user interaction when the vulnerability is exploited.

Fastw3b LLC’s FW Food Menu plugin is impacted. All releases up to and including version 6.0.0 are vulnerable. The vulnerable code affects the plugin’s upload handling, which is typically accessible to users with the capability to upload menu assets. The effect is local to the WordPress site that runs the plugin, but the consequence is a full takeover of the web server if the uploaded payload is executed.

Even though the EPSS score sits below 1%, meaning the exploitation probability is low, the CVSS score of 10 and the nature of the flaw render the risk high for sites still running an affected version. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants immediate attention. Attackers can exploit the flaw remotely by interacting with the upload endpoint, and if the plugin is misconfigured to allow unauthenticated uploads, the barrier to exploitation is minimal.