CVE-2023-5340
📋 TL;DR
This vulnerability in the Five Star Restaurant Menu and Food Ordering WordPress plugin allows unauthenticated attackers to perform PHP Object Injection by sending specially crafted AJAX requests. This can lead to remote code execution, data theft, or site takeover. Any WordPress site using vulnerable versions of this plugin is affected.
💻 Affected Systems
- Five Star Restaurant Menu and Food Ordering WordPress plugin
📦 What is this software?
Five Star Restaurant Menu by Fivestarplugins
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data exfiltration, malware installation, or ransomware deployment.
Likely Case
Unauthenticated attackers achieve remote code execution to deface websites, steal sensitive data, or install backdoors.
If Mitigated
Attackers can still send malicious requests but cannot achieve code execution due to lack of suitable PHP gadgets.
🎯 Exploit Status
Exploitation requires a suitable PHP gadget chain in the WordPress environment, which is commonly available through other plugins or themes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.11
Vendor Advisory: https://wpscan.com/vulnerability/91a5847a-62e7-4b98-a554-5eecb6a06e5b
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Five Star Restaurant Menu and Food Ordering'. 4. Click 'Update Now' if available. 5. If manual update needed, download version 2.4.11 from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allAdd code to functions.php to remove the vulnerable AJAX action hook
add_action('init', function() { remove_action('wp_ajax_nopriv_food_ordering_ajax', 'food_ordering_ajax_callback'); remove_action('wp_ajax_food_ordering_ajax', 'food_ordering_ajax_callback'); });
Disable plugin
linuxTemporarily deactivate the plugin until patched
wp plugin deactivate five-star-restaurant-menu-and-food-ordering
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing serialized PHP objects
- Restrict access to the WordPress site using IP whitelisting or authentication
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is below 2.4.11, site is vulnerable.Check Version:
wp plugin get five-star-restaurant-menu-and-food-ordering --field=versionVerify Fix Applied:
Confirm plugin version shows 2.4.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=food_ordering_ajax containing serialized data
- Unusual PHP errors related to unserialize() or object instantiation
Network Indicators:
- HTTP POST requests to admin-ajax.php endpoint with serialized payloads
- Unusual outbound connections from WordPress server after exploitation
SIEM Query:
source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="food_ordering_ajax" AND (params.data CONTAINS "O:" OR params.data CONTAINS "a:")