CVE-2025-15445 | THREATINT

Description

The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings.

PUBLISHED Reserved 2026-01-04 | Published 2026-03-28 | Updated 2026-04-02 | Assigner WPScan

Problem types

CWE-862 Missing Authorization

Product status

Default status

unknown

Any version

affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/f3f4a734-5828-4e3f-a170-28189aeda929/ exploit vdb-entry technical-description

cve.org (CVE-2025-15445)

nvd.nist.gov (CVE-2025-15445)

Download JSON