Description
Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Restaurant Menu by MotoPress plugin allows a user with subscriber permissions to perform actions that should be restricted, exposing sensitive menu data or permitting unauthorized modifications. This broken access control is categorized as CWE‑862 and can undermine data confidentiality and integrity within a WordPress site.

Affected Systems

All versions of the Restaurant Menu by MotoPress plugin up to and including 2.4.11 are affected. The plugin is distributed by jetmonsters and is commonly used to manage restaurant menus on WordPress sites.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score is unavailable, and the vulnerability is not listed in CISA KEV. Expl attacker must log in and obtain subscriber-level access before leveraging the flaw. Given the limited scope and the need for valid credentials, the likelihood of widespread exploitation remains moderate, but sites with compromised subscriber accounts pose a real risk.

Generated by OpenCVE AI on June 26, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Restaurant Menu by MotoPress plugin to a version newer than 2.4.11 once the vendor releases a fix.
  • If an update is not yet available, remove or restrict menu‑editing capabilities for subscriber roles through the plugin’s role‑management settings or a separate capability‑control plugin.
  • Verify that only administrator accounts retain the capability to manage menu items, ensuring strict role‑based access control is enforced.

Generated by OpenCVE AI on June 26, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.
Title WordPress Restaurant Menu by MotoPress plugin <= 2.4.11 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:44:15.903Z

Reserved: 2025-10-24T14:26:55.390Z

Link: CVE-2025-63078

cve-icon Vulnrichment

Updated: 2026-06-26T17:27:00.276Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses