What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows Cross Site Request Forgery.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.6.
Explanation of Vulnerability in Simple Terms
02Summary
Restaurant Menu by MotoPress versions up to 2.4.6 contain a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the restaurant menu without the admin's knowledge. The vulnerability requires the admin to visit the attacker's page but does not require the attacker to have any account on the target site.
What an attacker can do
03Attacker Capabilities
Perform unwanted actions on the restaurant menu (modify, delete, or create menu items) when a logged-in admin visits a malicious webpage.
Potential impact on your site
04Site Impact
Restaurant menu data can be altered or deleted without the site owner's consent if an admin is tricked into visiting a malicious link.
Conditions required to exploit
05Prerequisites
A logged-in site administrator must visit a webpage controlled by the attacker.
Key dates
06Disclosure timeline
July 16, 2025
CVE published
April 28, 2026
Record updated