Skip to main content
CVE Vulnerability Database

CVE-2025-8491: WordPress Easy Restaurant Menu CSRF Flaw

CVE-2025-8491 is a Cross-Site Request Forgery vulnerability in the Easy Restaurant Menu Manager plugin for WordPress that enables unauthorized menu file uploads. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-8491 Overview

CVE-2025-8491 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Easy Restaurant Menu Manager plugin for WordPress. The flaw exists in all versions up to and including 2.0.2. It stems from missing or incorrect nonce validation on the nsc_eprm_save_menu() function. Unauthenticated attackers can upload a menu file through a forged request if they trick a site administrator into clicking a crafted link. The issue is tracked under [CWE-352] (Cross-Site Request Forgery) and was published to the National Vulnerability Database (NVD) on 2025-08-13.

Critical Impact

Attackers can force authenticated administrators to upload attacker-controlled menu files, resulting in unauthorized content modification on the target WordPress site.

Affected Products

  • Easy Restaurant Menu Manager plugin for WordPress — all versions through 2.0.2
  • WordPress sites running the easy-pdf-restaurant-menu-upload plugin
  • Administrator accounts on sites where the vulnerable plugin is active

Discovery Timeline

  • 2025-08-13 - CVE-2025-8491 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8491

Vulnerability Analysis

The vulnerability resides in the nsc_eprm_save_menu() function within the plugin's admin settings class. WordPress plugins typically protect state-changing administrative actions with nonces, which are single-use tokens tied to a specific user session and action. The Easy Restaurant Menu Manager plugin fails to correctly validate this nonce when handling menu file upload requests. As a result, the endpoint accepts POST requests that originate from arbitrary external sources, provided an authenticated administrator's browser submits them. An attacker hosts a malicious page containing an auto-submitting form or crafted request that targets the vulnerable admin endpoint. When an administrator visits the page while logged into WordPress, the browser sends the request with valid authentication cookies. The plugin processes the upload as if the administrator initiated it.

Root Cause

The root cause is missing or incorrect nonce validation in the nsc_eprm_save_menu() handler. The plugin does not verify the origin or intent of incoming requests using wp_verify_nonce() or check_admin_referer(). This violates the WordPress security model, which relies on nonces to distinguish legitimate administrator actions from forged requests.

Attack Vector

Exploitation requires network access and user interaction. An attacker crafts a malicious webpage or email link containing a form that submits to the vulnerable admin endpoint on the target site. The attacker delivers this link to a WordPress administrator through phishing, social engineering, or a compromised third-party site. When the administrator clicks the link while authenticated to WordPress, the browser automatically includes session cookies with the forged request. The plugin accepts the upload without verifying its origin. Successful exploitation compromises integrity by allowing arbitrary menu file uploads. Confidentiality and availability are not directly affected. Technical details are available in the Wordfence Vulnerability Report and the WordPress Plugin Class File.

Detection Methods for CVE-2025-8491

Indicators of Compromise

  • Unexpected menu file uploads or modifications in the plugin's upload directory
  • HTTP POST requests to nsc_eprm_save_menu admin endpoints originating from external Referer headers
  • Administrator session activity coinciding with visits to untrusted external URLs
  • New or altered PDF or menu files without corresponding legitimate administrator actions

Detection Strategies

  • Inspect web server access logs for POST requests to the plugin's save-menu endpoint with Referer headers pointing outside the WordPress admin domain
  • Enable WordPress audit logging to record administrator actions and correlate them with expected workflows
  • Compare file hashes of uploaded menu files against a known-good baseline maintained by site operators

Monitoring Recommendations

  • Monitor the WordPress wp-content/uploads directory and plugin-specific upload paths for file creation events
  • Alert on administrator sessions that trigger plugin save actions without prior navigation through the admin UI
  • Track outbound links clicked by administrators through email security gateways to identify phishing attempts targeting site staff

How to Mitigate CVE-2025-8491

Immediate Actions Required

  • Update the Easy Restaurant Menu Manager plugin to a version newer than 2.0.2 once the vendor publishes a patched release
  • If no patched version is available, deactivate and remove the plugin from all WordPress installations
  • Audit recent uploads under the plugin's directory and remove any files that cannot be attributed to a legitimate administrator action
  • Rotate administrator credentials and invalidate active sessions if forged uploads are suspected

Patch Information

The vendor addressed the issue in commit changeset 3338246 in the plugin's trunk. Site operators should install the fixed release from the WordPress Plugin Directory as soon as it becomes available and verify that the nsc_eprm_save_menu() function performs proper nonce validation.

Workarounds

  • Restrict access to /wp-admin/ using IP allowlisting at the web server or WAF layer to reduce exposure to CSRF delivery
  • Require administrators to use isolated browsers or profiles for WordPress management to prevent cross-site cookie reuse
  • Deploy a web application firewall rule that blocks POST requests to the plugin endpoint when the Referer header does not match the site's own admin URL
  • Train administrators to avoid clicking untrusted links while authenticated to the WordPress dashboard

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.