CVE-2025-39352: CWE-862 Missing Authorization in ThemeGoods Grand Restaurant WordPress
Missing Authorization vulnerability in ThemeGoods Grand Restaurant WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
AI Analysis
Technical Summary
CVE-2025-39352 is a high-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the ThemeGoods Grand Restaurant WordPress plugin, versions up to 7.0. This vulnerability arises from improperly configured access control mechanisms within the plugin, allowing unauthorized users to perform actions or access resources that should be restricted. Specifically, the flaw is due to missing authorization checks, meaning that the plugin fails to verify whether a user has the appropriate permissions before allowing certain operations. The CVSS 3.1 base score of 8.2 reflects a high impact, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), indicating that the vulnerability affects only the vulnerable component without impacting other components. The impact metrics indicate no confidentiality impact (C:N), but there is an integrity impact (I:L) and a high availability impact (A:H). This suggests that while sensitive data confidentiality is not compromised, attackers can alter data or disrupt service availability significantly. Although no known exploits are currently reported in the wild, the ease of exploitation and the absence of required privileges make this vulnerability a critical concern for WordPress sites using this plugin. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring. Given that WordPress is widely used across Europe, and the Grand Restaurant plugin targets restaurant and hospitality businesses, the vulnerability could be leveraged to disrupt online restaurant operations, manipulate menu or booking data, or cause denial of service, impacting business continuity and customer trust.
Potential Impact
For European organizations, particularly those in the hospitality sector using the Grand Restaurant WordPress plugin, this vulnerability poses significant risks. Exploitation could lead to unauthorized modification of restaurant data such as menus, reservations, or pricing, undermining data integrity and potentially causing financial losses or reputational damage. The high availability impact means attackers could disrupt website functionality, leading to downtime and loss of online presence, which is critical for customer engagement and revenue generation. Since no authentication is required and no user interaction is needed, attackers can remotely exploit this vulnerability at scale, increasing the risk of widespread disruption. Additionally, compromised restaurant websites could be used as a foothold for further attacks within organizational networks, especially if integrated with other business systems. The lack of confidentiality impact reduces the risk of data breaches involving sensitive customer information, but the integrity and availability impacts alone are sufficient to cause serious operational harm. European businesses reliant on online ordering and reservation systems are particularly vulnerable, as service interruptions could directly affect customer satisfaction and regulatory compliance related to service availability.
Mitigation Recommendations
Given the absence of an official patch at the time of disclosure, European organizations should implement immediate compensating controls. These include restricting access to the WordPress admin and plugin management interfaces via IP whitelisting or VPN access to trusted personnel only. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the Grand Restaurant plugin endpoints can reduce exploitation risk. Regularly monitoring web server and application logs for unusual activity related to the plugin is critical to early detection. Organizations should also consider temporarily disabling or uninstalling the Grand Restaurant plugin if feasible until a patch is released. Keeping WordPress core and all other plugins updated reduces the overall attack surface. Additionally, enforcing the principle of least privilege for WordPress user roles limits potential damage if exploitation occurs. Backup strategies should be reviewed and tested to ensure rapid restoration of affected services. Finally, organizations should subscribe to vendor and security advisories to apply patches promptly once available.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria
CVE-2025-39352: CWE-862 Missing Authorization in ThemeGoods Grand Restaurant WordPress
Description
Missing Authorization vulnerability in ThemeGoods Grand Restaurant WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
AI-Powered Analysis
Technical Analysis
CVE-2025-39352 is a high-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the ThemeGoods Grand Restaurant WordPress plugin, versions up to 7.0. This vulnerability arises from improperly configured access control mechanisms within the plugin, allowing unauthorized users to perform actions or access resources that should be restricted. Specifically, the flaw is due to missing authorization checks, meaning that the plugin fails to verify whether a user has the appropriate permissions before allowing certain operations. The CVSS 3.1 base score of 8.2 reflects a high impact, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), indicating that the vulnerability affects only the vulnerable component without impacting other components. The impact metrics indicate no confidentiality impact (C:N), but there is an integrity impact (I:L) and a high availability impact (A:H). This suggests that while sensitive data confidentiality is not compromised, attackers can alter data or disrupt service availability significantly. Although no known exploits are currently reported in the wild, the ease of exploitation and the absence of required privileges make this vulnerability a critical concern for WordPress sites using this plugin. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring. Given that WordPress is widely used across Europe, and the Grand Restaurant plugin targets restaurant and hospitality businesses, the vulnerability could be leveraged to disrupt online restaurant operations, manipulate menu or booking data, or cause denial of service, impacting business continuity and customer trust.
Potential Impact
For European organizations, particularly those in the hospitality sector using the Grand Restaurant WordPress plugin, this vulnerability poses significant risks. Exploitation could lead to unauthorized modification of restaurant data such as menus, reservations, or pricing, undermining data integrity and potentially causing financial losses or reputational damage. The high availability impact means attackers could disrupt website functionality, leading to downtime and loss of online presence, which is critical for customer engagement and revenue generation. Since no authentication is required and no user interaction is needed, attackers can remotely exploit this vulnerability at scale, increasing the risk of widespread disruption. Additionally, compromised restaurant websites could be used as a foothold for further attacks within organizational networks, especially if integrated with other business systems. The lack of confidentiality impact reduces the risk of data breaches involving sensitive customer information, but the integrity and availability impacts alone are sufficient to cause serious operational harm. European businesses reliant on online ordering and reservation systems are particularly vulnerable, as service interruptions could directly affect customer satisfaction and regulatory compliance related to service availability.
Mitigation Recommendations
Given the absence of an official patch at the time of disclosure, European organizations should implement immediate compensating controls. These include restricting access to the WordPress admin and plugin management interfaces via IP whitelisting or VPN access to trusted personnel only. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the Grand Restaurant plugin endpoints can reduce exploitation risk. Regularly monitoring web server and application logs for unusual activity related to the plugin is critical to early detection. Organizations should also consider temporarily disabling or uninstalling the Grand Restaurant plugin if feasible until a patch is released. Keeping WordPress core and all other plugins updated reduces the overall attack surface. Additionally, enforcing the principle of least privilege for WordPress user roles limits potential damage if exploitation occurs. Backup strategies should be reviewed and tested to ensure rapid restoration of affected services. Finally, organizations should subscribe to vendor and security advisories to apply patches promptly once available.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-04-16T06:22:10.074Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0f81484d88663aeb3db
Added to database: 5/20/2025, 6:59:04 PM
Last enriched: 7/11/2025, 3:49:36 PM
Last updated: 8/9/2025, 7:48:55 AM
Views: 15
Related Threats
CVE-2025-8864: CWE-532 Insertion of Sensitive Information into Log File in YugabyteDB Inc YugabyteDB Anywhere
MediumCVE-2025-8851: Stack-based Buffer Overflow in LibTIFF
MediumCVE-2025-8863: CWE-319 Cleartext Transmission of Sensitive Information in YugabyteDB Inc YugabyteDB
HighCVE-2025-8847: Cross Site Scripting in yangzongzhuan RuoYi
MediumCVE-2025-8839: Improper Authorization in jshERP
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.