CVE-2025-63078 Overview
CVE-2025-63078 is a broken access control vulnerability in the Restaurant Menu by MotoPress WordPress plugin. The flaw affects versions up to and including 2.4.11 and stems from a missing authorization check [CWE-862]. Authenticated users with the low-privilege Subscriber role can invoke plugin functionality that should be restricted to higher-privileged accounts. The vulnerability is exploitable over the network with low attack complexity and requires no user interaction. Successful exploitation results in a limited integrity impact on the affected WordPress site.
Critical Impact
Authenticated Subscriber-level users can bypass access controls in Restaurant Menu by MotoPress <= 2.4.11, allowing unauthorized modification of plugin data on affected WordPress sites.
Affected Products
- Restaurant Menu by MotoPress WordPress plugin
- Versions <= 2.4.11
- WordPress sites running the mp-restaurant-menu plugin
Discovery Timeline
- 2026-06-26 - CVE CVE-2025-63078 published to NVD
- 2026-06-26 - Last updated in NVD database
Technical Details for CVE-2025-63078
Vulnerability Analysis
The vulnerability is a Broken Access Control issue classified under [CWE-862] Missing Authorization. Restaurant Menu by MotoPress exposes plugin endpoints or actions without verifying that the calling user holds an appropriate WordPress capability. As a result, any authenticated account, including the default Subscriber role, can reach functionality intended for administrators or restaurant managers.
WordPress Subscriber accounts are typically created through open registration or comment workflows. This makes the attacker prerequisite trivial on sites that allow user registration. The attack occurs over the network against the WordPress HTTP interface and does not require social engineering.
Impact is limited to integrity effects on plugin-managed data. Confidentiality and availability are not directly impacted according to the CVSS vector. The Patchstack advisory documents the affected plugin versions and confirms remediation in later releases.
Root Cause
The plugin registers callable actions, most likely through WordPress AJAX handlers or REST routes, without performing a current_user_can() capability check or an equivalent nonce and role validation. Authorization is either absent or relies only on authentication, treating any logged-in user as trusted.
Attack Vector
An attacker registers or obtains a Subscriber account on a vulnerable WordPress site. The attacker then issues authenticated HTTP requests to the vulnerable plugin endpoint, invoking privileged actions such as modifying menu items, categories, or plugin settings. The vulnerability is described in detail in the Patchstack Vulnerability Advisory.
Detection Methods for CVE-2025-63078
Indicators of Compromise
- Unexpected creation, modification, or deletion of restaurant menu items, categories, or plugin settings by non-administrative user accounts.
- Subscriber accounts issuing POST requests to admin-ajax.php or plugin REST routes tied to mp-restaurant-menu.
- New WordPress user registrations followed shortly by plugin-related administrative actions.
Detection Strategies
- Review WordPress activity logs for plugin data changes performed by users lacking editor or administrator roles.
- Correlate HTTP access logs with WordPress user session data to identify Subscriber-level accounts triggering plugin admin actions.
- Alert on requests to mp-restaurant-menu AJAX or REST endpoints originating from low-privilege authenticated sessions.
Monitoring Recommendations
- Deploy a WordPress audit logging plugin to capture user role, action, and affected object for every plugin write operation.
- Monitor for anomalous spikes in Subscriber registrations followed by authenticated POST traffic to plugin endpoints.
- Forward WordPress and web server logs to a centralized SIEM or data lake for retention and correlation.
How to Mitigate CVE-2025-63078
Immediate Actions Required
- Update Restaurant Menu by MotoPress to a version later than 2.4.11 as published by the vendor.
- Audit existing WordPress accounts and remove unused or suspicious Subscriber-level users.
- Temporarily disable open user registration on sites that do not require it.
Patch Information
Refer to the Patchstack Vulnerability Advisory for the fixed version and vendor guidance. Apply the plugin update through the WordPress admin dashboard or via WP-CLI.
Workarounds
- Deactivate the mp-restaurant-menu plugin until it can be upgraded to a fixed release.
- Restrict access to wp-admin/admin-ajax.php and plugin REST routes at the web application firewall for unauthenticated and low-privilege sessions.
- Set the WordPress users_can_register option to false to prevent creation of new Subscriber accounts.
# Configuration example
wp plugin update mp-restaurant-menu
wp option update users_can_register 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

