CVE-2025-15445 affects the Restaurant Cafeteria WordPress theme through version 0.4.6 by exposing insecure admin-ajax actions that lack nonce or capability checks. This missing authorization allows any logged-in user, such as a subscriber, to execute privileged operations. Specifically, an attacker can install and activate arbitrary PHP code from a user-supplied URL and import demo content that overwrites site configurations including theme modifications, pages, menus, and front page settings. The vulnerability is identified as CWE-862 and carries a CVSS 3.1 base score of 5.4, indicating a medium severity level. There is no indication of known exploits in the wild or available patches at this time.

An attacker with any logged-in user privileges can exploit this vulnerability to execute arbitrary PHP code on the affected WordPress site. This can lead to unauthorized modification of site configuration, including theme settings, pages, menus, and front page layout. While the confidentiality and integrity impacts are low to medium, the ability to execute arbitrary code poses a significant risk to site security and stability. There is no evidence of active exploitation in the wild as of the published date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to trusted individuals and limit login access. Monitor for updates from the theme developer or WordPress security channels regarding patches or temporary mitigations. Avoid installing or activating untrusted plugins or themes that could be leveraged in conjunction with this vulnerability.