Description
The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated attackers to upload a menu file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-08-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Request Forgery enabling unauthorized menu uploads
Action: Patch
AI Analysis

Impact

The Easy restaurant menu manager plugin is affected by a CSRF flaw that allows an unauthenticated attacker, who has convinced an administrator to follow a crafted link, to upload a menu file. The missing or incorrect nonce validation in the nsc_eprm_save_menu function means the system trusts the request and processes the file, potentially exposing the site to harmful content or unauthorized changes to the menu.

Affected Systems

Vendors: nikelschubert. Product: Easy restaurant menu manager plugin for WordPress, versions up to and including 2.0.2 are impacted. Administrators using these populations are vulnerable until they upgrade beyond 2.0.2.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate severity, while an EPSS score below 1% indicates low likelihood of widespread exploitation at the time of this analysis. The flaw is not listed in the CISA KEV catalog. An attacker can exploit the vulnerability by sending a forged request to the site that a logged‑in administrator will automatically process when clicking a link; the query relies on the absence of proper nonce checks.

Generated by OpenCVE AI on April 20, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Easy restaurant menu manager plugin to version 2.0.3 or newer, where nonce validation is correctly implemented.
  • If an upgrade cannot be performed immediately, disable the menu upload functionality or restrict it to trusted users until a patch is available.
  • Continuously monitor site logs for suspicious upload attempts and verify that only authenticated administrators trigger menu uploads.

Generated by OpenCVE AI on April 20, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24541 The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated attackers to upload a menu file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Nikelschubert
Nikelschubert easy Restaurant Menu Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Nikelschubert
Nikelschubert easy Restaurant Menu Manager Plugin
Wordpress
Wordpress wordpress

Wed, 13 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 Aug 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated attackers to upload a menu file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Easy restaurant menu manager <= 2.0.2 - Cross-Site Request Forgery to Menu Upload
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Nikelschubert Easy Restaurant Menu Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:50.840Z

Reserved: 2025-08-01T22:03:01.823Z

Link: CVE-2025-8491

cve-icon Vulnrichment

Updated: 2025-08-13T14:02:37.736Z

cve-icon NVD

Status : Deferred

Published: 2025-08-13T04:16:18.773

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses