Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57644

CVE-2026-57644: Restaurant Menu by MotoPress SQLi Flaw

CVE-2026-57644 is a contributor-level SQL injection vulnerability in Restaurant Menu by MotoPress plugin versions 2.4.10 and earlier. This flaw allows authenticated attackers to manipulate database queries. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2026-57644 Overview

CVE-2026-57644 is a SQL injection vulnerability in the Restaurant Menu by MotoPress WordPress plugin, affecting versions up to and including 2.4.10. The flaw allows authenticated users with Contributor-level privileges to inject arbitrary SQL statements into database queries executed by the plugin. This weakness maps to [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. Successful exploitation exposes sensitive database contents and can affect resources beyond the plugin's own scope, as reflected by the changed scope in the CVSS vector.

Critical Impact

Authenticated Contributors can execute injected SQL against the WordPress database, leading to disclosure of confidential data such as user records, session tokens, and plugin configuration.

Affected Products

  • Restaurant Menu by MotoPress plugin for WordPress
  • All versions up to and including 2.4.10
  • WordPress sites permitting Contributor-level account registration

Discovery Timeline

  • 2026-06-26 - CVE-2026-57644 published to NVD
  • 2026-06-26 - Last updated in NVD database

Technical Details for CVE-2026-57644

Vulnerability Analysis

CVE-2026-57644 is a SQL injection flaw introduced by improper sanitization of user-supplied input in the mp-restaurant-menu plugin. The plugin passes parameters into database queries without adequate parameterization or escaping. An attacker holding a Contributor account can craft plugin requests that append or modify SQL clauses. Because the scope is changed, the impact extends beyond the plugin's authorization boundary, allowing broader access to WordPress database contents. Successful exploitation yields high confidentiality impact with low availability impact and no integrity impact per the assigned vector.

Root Cause

The root cause is a failure to neutralize special SQL characters in user-controlled parameters before concatenating them into database queries. WordPress provides $wpdb->prepare() for parameterized statements, but the vulnerable code paths in versions <= 2.4.10 do not consistently apply it. This omission allows metacharacters to alter query structure.

Attack Vector

The attack is delivered over the network against the WordPress admin or AJAX endpoints exposed by the plugin. The attacker must authenticate as a Contributor, which is a low-privileged role frequently granted for guest posting or restricted content workflows. No user interaction is required beyond the attacker's own session. Once authenticated, the attacker submits crafted parameters to plugin endpoints and observes responses or timing to extract database contents through in-band or blind SQL injection techniques. The vulnerability manifests in the plugin's request handlers; refer to the Patchstack Vulnerability Report for parameter-level details.

Detection Methods for CVE-2026-57644

Indicators of Compromise

  • Web server logs containing SQL metacharacters such as UNION, SELECT, SLEEP(, or -- in requests to admin-ajax.php or mp-restaurant-menu endpoints
  • Unusual query patterns or errors in the WordPress database error log tied to plugin actions
  • Contributor accounts issuing high volumes of plugin API requests within short intervals

Detection Strategies

  • Deploy a Web Application Firewall (WAF) with SQL injection signatures tuned for WordPress plugin parameters
  • Enable MySQL general query logging temporarily to correlate anomalous queries with plugin request handlers
  • Alert on Contributor-role sessions that trigger database errors or long-running queries

Monitoring Recommendations

  • Forward WordPress access logs and PHP error logs to a centralized SIEM for correlation
  • Track creation and privilege changes for Contributor accounts on public-facing WordPress sites
  • Monitor the plugin's installed version across all managed WordPress instances and alert on versions <= 2.4.10

How to Mitigate CVE-2026-57644

Immediate Actions Required

  • Update Restaurant Menu by MotoPress to a version above 2.4.10 as soon as a fixed release is available
  • Audit and remove unnecessary Contributor-level accounts and disable open user registration where feasible
  • Rotate WordPress database credentials and administrative session tokens if suspicious activity is observed

Patch Information

Refer to the Patchstack Vulnerability Report for the latest fixed version and vendor guidance. Apply the update through the WordPress plugin manager or WP-CLI once released.

Workarounds

  • Deactivate the Restaurant Menu by MotoPress plugin until the patched version is deployed
  • Restrict Contributor role capabilities using a role editor to remove access to plugin-specific actions
  • Enforce WAF rules blocking SQL metacharacters on requests targeting mp-restaurant-menu endpoints
bash
# Configuration example: update the plugin via WP-CLI once a fixed release is available
wp plugin update mp-restaurant-menu
wp plugin list --name=mp-restaurant-menu --fields=name,status,version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.