The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to trigger authenticated actions within the Restaurant Menu by MotoPress plugin. If an attacker tricks a user who is logged in and has sufficient privileges (for example, admin or editor) into visiting a crafted page, the attacker can submit requests that modify or delete menu items. The primary impact is unauthorized data modification, which could degrade site functionality or alter menu content without notice.

Jetmonsters’ Restaurant Menu by MotoPress plugin, versions up to and including 2.4.6, are affected. The issue does not impact newer releases beyond the stated maximum.

The CVSS score of 5.4 indicates a moderate risk level. The EPSS score is below 1 %, suggesting a very low probability of widespread exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. The attack vector most likely requires an authenticated user who voluntarily visits a malicious site; the attacker can then force the browser to submit a request to the plugin’s endpoints, bypassing any intended protection. This is inferred from the CSRF nature of the flaw, as no direct exploitation path or privileged conditions are detailed in the description.