Themes Vulnerabilities

Restaurant Cafeteria <= 0.4.6 - Subscriber+ Arbitrary Plugin Installation/Activation

Description

The theme exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a plugin from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including theme_mods, pages, menus, and front page settings.

Proof of Concept

Affects Themes

restaurant-cafeteria
No known fix

References

CVE
CVE-2025-15445

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Khaled Alenazi (Nxploited)
Submitter
Khaled Alenazi (Nxploited)
Submitter website
https://github.com/Nxploited
Verified
Yes
WPVDB ID
f3f4a734-5828-4e3f-a170-28189aeda929

Timeline

Publicly Published
2026-03-06 (about 22 days ago)
Added
2026-02-27 (about 1 month ago)
Last Updated
2026-02-27 (about 1 month ago)

Other

Published
Title
Published
2025-12-05
Title
Post Cloner <= 1.0.0 - Missing Authorization
Published
2023-11-21
Title
Preloader for Website < 1.3 - Missing Authorization via plwao_register_settings()
Published
2026-02-19
Title
Ally < 4.0.3 - Missing Authorization
Published
2025-04-01
Title
Free Woocommerce Product Table View <= 1.78 - Missing Authorization
Published
2026-01-27
Title
Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization 2.4.4 - 2.5.12 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover