CVE-2024-13415 identifies a missing authorization vulnerability (CWE-862) in the Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin, a popular WordPress extension used by restaurants to manage menus and online orders. The vulnerability exists in the response() function, which lacks proper capability checks, allowing any authenticated user with Subscriber-level privileges or higher to modify plugin settings. This means that even users with minimal privileges can escalate their influence within the plugin, potentially altering menu configurations, pricing, or ordering parameters without administrative consent. The vulnerability affects all versions up to and including 5.1.4. The CVSS v3.1 score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity but not confidentiality or availability. No patches or fixes are currently linked, and no exploits have been observed in the wild. The vulnerability could be leveraged in multi-user WordPress environments where Subscriber accounts are common, such as membership sites or sites allowing user registrations. The lack of authorization checks is a common security oversight that can lead to privilege escalation within plugin-specific functionality, undermining trust in the plugin's integrity controls.

The primary impact of this vulnerability is on the integrity of the affected WordPress plugin's settings. Unauthorized modification of plugin configurations could disrupt restaurant menu displays, pricing, or online ordering workflows, potentially causing business disruption or customer dissatisfaction. While it does not directly expose sensitive data or cause denial of service, the ability for low-privileged users to alter plugin behavior could be exploited to manipulate orders or menus, leading to financial or reputational damage. Organizations relying on this plugin for e-commerce operations may face operational risks and loss of customer trust if exploited. Since the vulnerability requires authenticated access, the risk is higher in environments that allow open user registrations or have many low-privileged accounts. The absence of known exploits reduces immediate threat but does not eliminate future risk, especially as attackers often target WordPress plugins due to their widespread use.

To mitigate this vulnerability, organizations should first verify if they are using the Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin and identify the version in use. If possible, update to a patched version once released by the vendor. In the absence of an official patch, administrators should restrict user roles and capabilities to minimize the number of users with Subscriber-level or higher access, especially limiting registrations and permissions for untrusted users. Implementing a Web Application Firewall (WAF) with rules to detect and block unauthorized attempts to access or modify plugin settings can provide temporary protection. Regularly audit user accounts and plugin configurations for unauthorized changes. Additionally, consider disabling or removing the plugin if it is not essential or if a secure alternative exists. Monitoring logs for suspicious activity related to plugin settings modification is also recommended. Finally, maintain a robust backup strategy to restore plugin settings if unauthorized changes occur.