WordPress Plugin Vulnerabilities

Restaurant & Cafe Addon for Elementor < 1.5.3 - Missing Authorization

Description

The plugin is vulnerable to unauthorized modification of data due to missing capability checks on the rcafe_bw_settings_save_func(), rctl_bw_toggle_submit_func(), rcafe_uw_settings_save_func(), and rctl_uw_toggle_submit_func() functions all hooked via nopriv AJAX actions in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to modify the plugin's settings.

Affects Plugins

Plugin icon
restaurant-cafe-addon-for-elementor
Fixed in 1.5.3

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/07712191-03b6-4de4-b0a4-e6f03ce9dc81

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
5bceb74e-6c16-4b62-9194-429edde484bc

Timeline

Publicly Published
2023-11-14 (about 2 years ago)
Added
2024-01-17 (about 2 years ago)
Last Updated
2024-01-17 (about 2 years ago)

Other

Published
Title
Published
2023-08-01
Title
Booster for WooCommerce < 7.1.0 - Shop Manager+ Missing Authorization to Arbitrary Options Update
Published
2025-05-22
Title
Booking and Rental Manager < 2.3.9 - Missing Authorization
Published
2026-01-21
Title
BOX NOW Delivery < 3.2.0 - Missing Authorization
Published
2024-07-11
Title
Academy LMS < 2.0.5 - Missing Authorization
Published
2026-02-16
Title
leadlovers forms <= 1.0.2 - Missing Authorization