CVE-2025-49914 is a vulnerability identified in the jetmonsters Restaurant Menu by MotoPress WordPress plugin, affecting all versions up to and including 2.4.7. The flaw allows an attacker with at least limited privileges (PR:L) to remotely retrieve embedded sensitive system information without requiring user interaction (UI:N). The vulnerability is classified as an exposure of sensitive system information to an unauthorized control sphere, meaning that data intended to be protected within the system is accessible to unauthorized users. The CVSS v3.1 base score is 6.5, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This means the attack can be performed remotely over the network with low attack complexity, requires some privileges but no user interaction, and impacts confidentiality significantly, while integrity and availability remain unaffected. The sensitive information exposed could include configuration details, credentials, or other embedded data that could facilitate further exploitation or lateral movement within the environment. No known exploits are currently reported in the wild, and no official patches have been released at the time of publication. The vulnerability was reserved in June 2025 and published in December 2025. The affected plugin is commonly used in WordPress-based restaurant websites to manage menus, making it a target for attackers seeking to gather intelligence or escalate privileges.

For European organizations, particularly those in the hospitality and restaurant sectors using WordPress with the jetmonsters Restaurant Menu by MotoPress plugin, this vulnerability poses a risk of sensitive data leakage. Exposure of embedded sensitive system information can lead to unauthorized disclosure of configuration details, API keys, or credentials, which attackers could leverage for further attacks such as privilege escalation, data theft, or lateral movement within the network. While the vulnerability does not directly compromise system integrity or availability, the confidentiality breach can have significant reputational and operational impacts, especially under stringent data protection regulations like GDPR. Organizations relying on this plugin for their online presence may face increased risk of targeted attacks, data breaches, or compliance violations if the vulnerability is exploited. The medium severity rating suggests a moderate but non-negligible threat level, warranting timely mitigation to prevent escalation.

1. Immediately restrict access to the jetmonsters Restaurant Menu plugin’s administrative and configuration interfaces to trusted users only, employing role-based access controls to minimize privilege exposure. 2. Monitor web server and application logs for unusual access patterns or attempts to retrieve sensitive data from the plugin endpoints. 3. Disable or remove the plugin if it is not essential to reduce the attack surface. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the plugin’s known vulnerable components. 5. Stay informed about official patches or updates from MotoPress and apply them promptly once released. 6. Conduct a thorough audit of exposed data to identify any leaked credentials or sensitive information and rotate or revoke them as necessary. 7. Educate site administrators about the risks and ensure that principle of least privilege is enforced across all WordPress plugins and user accounts. 8. Consider deploying security plugins that can detect and alert on anomalous plugin behavior or unauthorized data access attempts.