WordPress Plugin Vulnerabilities

Quick Restaurant Menu < 2.1.0 - Subscriber+ Arbitrary Post Deletion/Updating

Description

The plugin does not ensure that the menu to be deleted/updated is actually a menu, and does not have authorisation in the related AJAX actions, which could allow any authenticated users, such as subscriber, to delete and update arbitrary posts

Affects Plugins

Plugin icon
quick-restaurant-menu
Fixed in 2.1.0

References

CVE
CVE-2023-0550
CVE
CVE-2023-0555

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Marco Wotschka, Ivan Kuzymchak
Verified
No
WPVDB ID
7f4cbbf9-9492-4a75-b9b2-4a1cae3c2ee1

Timeline

Publicly Published
2023-01-27 (about 3 years ago)
Added
2023-01-27 (about 3 years ago)
Last Updated
2023-01-27 (about 3 years ago)

Other

Published
Title
Published
2026-01-02
Title
Overton <= 1.3 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-03-07
Title
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel < 2.4.30 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates
Published
2025-01-02
Title
WP Job Portal – A Complete Recruitment System for Company or Job Board website < 2.2.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2026-01-05
Title
Woffice Core < 5.4.31 - Unauthenticated Insecure Direct Object Reference
Published
2023-06-22
Title
WooCommerce Payments < 4.5.1 - Intent Parameter Tampering