CVE-2023-0555 — HIGH (8.1) — White Hats Nepal

Q: How severe is CVE-2023-0555?

CVE-2023-0555 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-0555?

Check the references section above for vendor advisories and patch information. Affected products include: Thingsforrestaurants Quick Restaurant Menu.

Vulnerability Description

The Quick Restaurant Menu plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those actions intended for administrator use. Actions include menu item creation, update and deletion and other menu management functions. Since the plugin does not verify that a post ID passed to one of its AJAX actions belongs to a menu item, this can lead to arbitrary post deletion/alteration.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Thingsforrestaurants	Quick Restaurant Menu	< 2.1.0

Related Weaknesses (CWE)

CWE-862

References

https://plugins.trac.wordpress.org/browser/quick-restaurant-menu/tags/2.0.2/inclRelease NotesThird Party Advisory
https://plugins.trac.wordpress.org/changeset/2851871/quick-restaurant-menu/trunkPatchThird Party Advisory
https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-quick
https://www.wordfence.com/threat-intel/vulnerabilities/id/97984c7d-d6ff-480c-acf
https://plugins.trac.wordpress.org/browser/quick-restaurant-menu/tags/2.0.2/inclRelease NotesThird Party Advisory
https://plugins.trac.wordpress.org/changeset/2851871/quick-restaurant-menu/trunkPatchThird Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/97984c7d-d6ff-480c-acfThird Party Advisory

FAQ

What is CVE-2023-0555?

CVE-2023-0555 is a vulnerability with a CVSS score of 8.1 (HIGH). The Quick Restaurant Menu plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.0.2. This makes it possib...

How severe is CVE-2023-0555?

CVE-2023-0555 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-0555?

Check the references section above for vendor advisories and patch information. Affected products include: Thingsforrestaurants Quick Restaurant Menu.