Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows Retrieve Embedded Sensitive Data.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.7.
Published: 2025-12-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Restaurant Menu by MotoPress WordPress plugin contains a vulnerability that allows an unauthorized control sphere to retrieve embedded sensitive data. The flaw is present in all releases through 2.4.7 and is classified as CWE‑497. An attacker could cause a loss of confidentiality by accessing information that is not intended for public consumption, potentially revealing system configuration or other sensitive data.

Affected Systems

The affected product is the WordPress plugin Restaurant Menu by MotoPress from jetmonsters, version 2.4.7 and earlier. Systems running the plugin in any environment exposed to the web are at risk.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests exploitation probability is low. It is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector involves interacting with the plugin’s public interfaces, possibly through authenticated or unauthenticated requests to plugin endpoints. Because the vulnerability enables arbitrary data retrieval, a malicious actor could exfiltrate information without additional privileges. The mitigations recommend disabling exposed interfaces or updating to a patched version.

Generated by OpenCVE AI on April 29, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Restaurant Menu by MotoPress to version 2.4.8 or later.
  • If an update cannot be performed immediately, restrict access to the plugin’s admin area and disable any publicly exposed endpoints that display sensitive data.
  • Disable or remove the plugin on sites where it is not essential to limit potential data exposure.
  • Maintain a routine review of WordPress plugins and applied patches to prevent re‑exposure.

Generated by OpenCVE AI on April 29, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Motopress
Motopress restaurant Menu
Wordpress
Wordpress wordpress
Vendors & Products Motopress
Motopress restaurant Menu
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows Retrieve Embedded Sensitive Data.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.7.
Title WordPress Restaurant Menu by MotoPress plugin <= 2.4.7 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Motopress Restaurant Menu
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:24:30.537Z

Reserved: 2025-06-11T16:06:59.982Z

Link: CVE-2025-49914

cve-icon Vulnrichment

Updated: 2025-12-18T19:36:19.032Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:51.957

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:00:06Z

Weaknesses