CVE-2024-13415
📋 TL;DR
The Food Menu plugin for WordPress has a missing capability check that allows authenticated users with Subscriber-level access or higher to modify plugin settings. This vulnerability affects all versions up to and including 5.1.4, potentially allowing unauthorized configuration changes.
💻 Affected Systems
- Food Menu – Restaurant Menu & Online Ordering for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify critical plugin settings, disable security features, or inject malicious code into the restaurant menu system, potentially compromising the entire WordPress site.
Likely Case
Subscribers or other low-privilege users could alter menu items, pricing, or ordering settings, causing business disruption or financial loss.
If Mitigated
With proper user access controls and monitoring, impact would be limited to minor configuration changes that could be quickly detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Food Menu' plugin
4. Click 'Update Now' if available
5. If no update appears, download version 5.1.5+ from WordPress.org
6. Deactivate, delete old version, upload and activate new version
🔧 Temporary Workarounds
Temporary Role Restriction
allTemporarily restrict Subscriber role capabilities or remove unnecessary Subscriber users
Use WordPress role management plugin or custom code to modify capabilities
Plugin Deactivation
linuxTemporarily deactivate the Food Menu plugin until patched
wp plugin deactivate tlp-food-menu
🧯 If You Can't Patch
- Implement strict user access controls and monitor for unauthorized configuration changes
- Use web application firewall rules to block suspicious AJAX requests to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Food Menu → Version number. If version is 5.1.4 or lower, system is vulnerable.Check Version:
wp plugin get tlp-food-menu --field=versionVerify Fix Applied:
Verify plugin version is 5.1.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX POST requests to /wp-admin/admin-ajax.php with action=tlp_fm_settings
- Multiple settings changes from non-admin users
- Unexpected modifications to food menu configuration
Network Indicators:
- POST requests to admin-ajax.php with tlp_fm_settings parameter from non-admin IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "tlp_fm_settings" AND NOT user_role="administrator"🔗 References
- https://plugins.svn.wordpress.org/tlp-food-menu/tags/5.1.4/app/Controllers/Admin/Ajax/Settings.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3231030%40tlp-food-menu&new=3231030%40tlp-food-menu&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ab6dd645-8831-49bc-b6b1-bb153ef79204?source=cve
