CVE-2025-60128 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin 'WP Delicious Delisho' up to version 1.1.3. This vulnerability arises from improperly configured access control mechanisms, allowing users with limited privileges (requiring at least some level of authentication) to perform actions or access resources that should be restricted. Specifically, the vulnerability does not require user interaction beyond authentication, and it can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 4.3, indicating a medium severity level, with the impact primarily on integrity (I:L) but no direct impact on confidentiality or availability. The vulnerability does not require high attack complexity (AC:L) and does not involve user interaction (UI:N). Although no known exploits are currently reported in the wild, the flaw could allow authenticated users to escalate privileges or manipulate data they should not be authorized to access, potentially leading to unauthorized modifications within the affected WordPress environment. The lack of a patch or mitigation link suggests that the vendor has not yet released an official fix, increasing the urgency for administrators to apply compensating controls or monitor for suspicious activity. The vulnerability affects the Delisho plugin, which is used for restaurant menu or food delivery-related functionalities on WordPress sites, making it relevant to websites in the hospitality and food service sectors.

For European organizations, especially those operating in the hospitality, food delivery, or restaurant sectors using WordPress with the Delisho plugin, this vulnerability could lead to unauthorized modification of menu data, pricing, or order processing workflows. Such unauthorized changes could damage business reputation, cause financial loss, or disrupt customer experience. Although the confidentiality and availability impacts are minimal, integrity violations could undermine trust in online ordering systems. Furthermore, if attackers leverage this vulnerability as a foothold, it could be a stepping stone to broader compromise within the WordPress environment, potentially exposing other plugins or sensitive data. Given the widespread use of WordPress across Europe and the popularity of food service websites, the vulnerability poses a moderate risk, particularly to small and medium enterprises that may not have rigorous security monitoring or patch management processes.

Since no official patch is currently available, European organizations should take immediate steps to mitigate risk. These include: 1) Restricting access to the WordPress admin and plugin management interfaces to trusted IP addresses or VPN users only; 2) Implementing strict role-based access controls within WordPress to ensure users have only the minimum necessary privileges; 3) Monitoring logs for unusual activity related to the Delisho plugin, such as unexpected changes to menu items or orders; 4) Temporarily disabling or uninstalling the Delisho plugin if it is not critical to business operations until a patch is released; 5) Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin endpoints; 6) Keeping WordPress core and all other plugins updated to reduce the attack surface; and 7) Preparing incident response plans specific to WordPress plugin abuse scenarios. Organizations should also subscribe to vendor and security mailing lists to receive timely updates on patches or exploit disclosures.