CVE-2024-5459 - Vulnerability Details - OpenCVE

The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on 'add_section', 'add_menu', 'add_menu_item', and 'add_menu_page' functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create menu sections, menus, food items, and new menu pages.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fivestarplugins	Five Star Restaurant Menu

Configuration 1 [-]

cpe:2.3:a:fivestarplugins:five_star_restaurant_menu:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L111
https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L144
https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L62
https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L80
https://plugins.trac.wordpress.org/changeset/3097599/
https://www.wordfence.com/threat-intel/vulnerabilities/id/03f9d9bb-6a87-4da9-bbb0-65203d7250e9?source=cve

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00174}`	epss `{'score': 0.0015}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-06-05T12:45:38.670Z

Updated: 2024-08-01T21:11:12.771Z

Reserved: 2024-05-29T00:45:06.067Z

Link: CVE-2024-5459

Vulnrichment

Updated: 2024-08-01T21:11:12.771Z

NVD

Status : Modified

Published: 2024-06-05T13:15:13.437

Modified: 2024-11-21T09:47:43.570

Link: CVE-2024-5459

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5459", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-05-29T00:45:06.067Z", "datePublished": "2024-06-05T12:45:38.670Z", "dateUpdated": "2024-08-01T21:11:12.771Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-06-05T12:45:38.670Z"}, "affected": [{"vendor": "rustaurius", "product": "Five Star Restaurant Menu and Food Ordering", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.4.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on 'add_section', 'add_menu', 'add_menu_item', and 'add_menu_page' functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create menu sections, menus, food items, and new menu pages."}], "title": "Restaurant Menu and Food Ordering <= 2.4.16 - Missing Authorization to Menu Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03f9d9bb-6a87-4da9-bbb0-65203d7250e9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L62"}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L80"}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L111"}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L144"}, {"url": "https://plugins.trac.wordpress.org/changeset/3097599/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-06-04T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T18:24:10.229837Z", "id": "CVE-2024-5459", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T18:24:17.715Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.771Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03f9d9bb-6a87-4da9-bbb0-65203d7250e9?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L62", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L80", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L111", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L144", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3097599/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03f9d9bb-6a87-4da9-bbb0-65203d7250e9?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L62", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L80", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L111", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L144", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3097599/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.771Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5459", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-06T18:24:10.229837Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T18:24:14.929Z"}}], "cna": {"title": "Restaurant Menu and Food Ordering <= 2.4.16 - Missing Authorization to Menu Creation", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "rustaurius", "product": "Five Star Restaurant Menu and Food Ordering", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.4.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-06-04T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03f9d9bb-6a87-4da9-bbb0-65203d7250e9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L62"}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L80"}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L111"}, {"url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L144"}, {"url": "https://plugins.trac.wordpress.org/changeset/3097599/"}], "descriptions": [{"lang": "en", "value": "The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on 'add_section', 'add_menu', 'add_menu_item', and 'add_menu_page' functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create menu sections, menus, food items, and new menu pages."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-06-05T12:45:38.670Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5459", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:11:12.771Z", "dateReserved": "2024-05-29T00:45:06.067Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-06-05T12:45:38.670Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fivestarplugins:five_star_restaurant_menu:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D20CBBB9-7F0E-4646-9D38-98D3C52E53D9", "versionEndExcluding": "2.4.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on 'add_section', 'add_menu', 'add_menu_item', and 'add_menu_page' functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create menu sections, menus, food items, and new menu pages."}, {"lang": "es", "value": "El complemento Restaurant Menu and Food Ordering para WordPress es vulnerable a la creaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en las funciones 'add_section', 'add_menu', 'add_menu_item' y 'add_menu_page' en todas las versiones hasta la 2.4.16 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, creen secciones de men\u00fa, men\u00fas, alimentos y nuevas p\u00e1ginas de men\u00fa."}], "id": "CVE-2024-5459", "lastModified": "2024-11-21T09:47:43.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-06-05T13:15:13.437", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L111"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L144"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L62"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L80"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3097599/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03f9d9bb-6a87-4da9-bbb0-65203d7250e9?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L111"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L144"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L62"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/food-and-drink-menu/trunk/includes/class-installation-walkthrough.php#L80"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3097599/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03f9d9bb-6a87-4da9-bbb0-65203d7250e9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}