Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0.
Published: 2025-06-27
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw that allows an attacker to delete arbitrary files on the server. The weakness, identified as CWE-22, arises from insufficient validation of a file path supplied to a deletion routine in the FW Food Menu plugin. If successfully exploited, an attacker could remove critical configuration files, application data, or other server files, leading to loss of availability and potential exposure of confidential data.

Affected Systems

Fastw3b LLC FW Food Menu plugin version 6.0.0 and any earlier versions installed on WordPress sites are potentially vulnerable. Any WordPress instance with the plugin at or below 6.0.0 is vulnerable. The description does not list additional affected components, so the scope is limited to the plugin itself.

Risk and Exploitability

The vulnerability scores 8.6 on CVSS, indicating high severity, but the EPSS score is below 1 %, suggesting current independent exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely trigger the deletion via a crafted request to the plugin’s file deletion endpoint; the vector is web-facing and may require authenticated or privileged access, although the description does not state explicit prerequisites, so any user able to invoke the deletion action may be able to exploit it.

Generated by OpenCVE AI on May 1, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FW Food Menu to the latest available version provided by the vendor to eliminate the path traversal bug.
  • Disable the file deletion feature in the plugin settings or restrict the capability checks so that only administrators can delete files.
  • Restrict file system permissions for the web server so that deletion commands cannot affect sensitive directories.
  • Regularly review web server logs for anomalous file deletion activity and apply patches promptly when available.

Generated by OpenCVE AI on May 1, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19323 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu fw-food-menu allows Path Traversal.This issue affects FW Food Menu : from n/a through <= 6.0.0. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu fw-food-menu allows Path Traversal.This issue affects FW Food Menu : from n/a through <= 6.0.0.
References

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0.
Title WordPress FW Food Menu plugin <= 6.0.0 - Arbitrary File Deletion Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:04.869Z

Reserved: 2025-06-04T15:44:57.576Z

Link: CVE-2025-49448

cve-icon Vulnrichment

Updated: 2025-06-27T13:15:38.640Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:38.130

Modified: 2026-04-28T19:33:08.120

Link: CVE-2025-49448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:30:11Z

Weaknesses