CVE-2025-49914 is a vulnerability identified in the jetmonsters Restaurant Menu by MotoPress WordPress plugin, affecting all versions up to and including 2.4.7. The flaw allows an unauthorized control sphere—meaning an attacker without proper authentication—to retrieve embedded sensitive system information. This type of vulnerability typically arises from improper access control or information disclosure issues within the plugin’s code, potentially exposing configuration details, internal paths, or other sensitive data embedded in the plugin's files or responses. Although no known exploits are currently reported in the wild, the vulnerability could be leveraged by attackers to gather intelligence about the target system, facilitating further attacks such as privilege escalation, targeted phishing, or exploitation of other vulnerabilities. The absence of a CVSS score indicates that the vulnerability is newly published and has not yet been fully assessed. The vulnerability affects a widely used plugin in the hospitality sector, which is often targeted due to the sensitive customer and business data handled. The technical details do not specify the exact nature of the sensitive data exposed, but given the plugin’s role, it may include system configuration or operational details that should remain confidential. The vulnerability was reserved in June 2025 and published in December 2025, indicating a recent discovery. Patch information is not yet available, so immediate mitigation relies on access control and monitoring.

For European organizations, especially those in the hospitality and restaurant sectors using the jetmonsters Restaurant Menu by MotoPress plugin, this vulnerability could lead to unauthorized disclosure of sensitive system information. Such exposure can compromise confidentiality, enabling attackers to map the system environment, identify further vulnerabilities, or craft more effective attacks. This could result in data breaches, reputational damage, and potential regulatory non-compliance under GDPR if personal or sensitive customer data is indirectly exposed or if the vulnerability leads to subsequent data breaches. The impact on system integrity and availability is likely limited but cannot be ruled out if attackers leverage the information to escalate privileges or disrupt services. The vulnerability’s ease of exploitation without authentication increases the risk profile, making it accessible to a wide range of attackers, including opportunistic threat actors. European organizations with public-facing websites using this plugin are particularly vulnerable, and the risk is heightened if the plugin is not promptly updated or if compensating controls are not implemented.

1. Monitor for and apply any official patches or updates released by MotoPress for the Restaurant Menu plugin immediately upon availability. 2. Until patches are available, restrict access to the plugin’s files and endpoints using web application firewalls (WAFs) or server-level access controls to prevent unauthorized retrieval of sensitive information. 3. Conduct a thorough audit of the web server and plugin configuration to identify and remove any embedded sensitive data that should not be publicly accessible. 4. Implement strict least-privilege principles for user roles managing the WordPress site to limit potential exploitation vectors. 5. Enable detailed logging and monitoring of web requests to detect unusual access patterns or attempts to access sensitive plugin resources. 6. Consider temporarily disabling the plugin if it is not critical to operations until a secure version is available. 7. Educate web administrators about the risks of information disclosure vulnerabilities and the importance of timely updates. 8. Review and enhance overall WordPress security posture, including regular backups and incident response readiness.