The Restaurant Menu plugin for WordPress is vulnerable to an authenticated SQL injection, posing a significant risk of unauthorized database access and data exfiltration.

This vulnerability is an SQL injection flaw that resides in the plugin's database query handling, specifically reachable by users with Contributor-level privileges. An attacker can manipulate input parameters to execute unauthorized commands against the underlying database.

Successful exploitation allows an attacker to bypass security controls, extract sensitive information, or potentially modify site content. With a CVSS score of 8.5, this high-severity flaw carries a substantial risk of data breach and loss of site integrity, potentially leading to long-term reputational damage.

Immediate Action: Update the Restaurant Menu plugin to the latest version provided by MotoPress as soon as a patch becomes available.

Proactive Monitoring: Review database error logs and query logs for unusual patterns or syntax that indicate attempted SQL injection attacks.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rulesets designed to detect and block common SQL injection patterns targeting WordPress plugins.

Public Exploit Available: false

The high CVSS score of 8.5 underscores the critical nature of this vulnerability. Organizations using this plugin should prioritize the application of vendor patches immediately upon release to mitigate the risk of unauthorized database manipulation.