CVE-2025-49914 – This vulnerability in the Restaurant Menu by Mo... (How to Fix)

📋 TL;DR

This vulnerability in the Restaurant Menu by MotoPress WordPress plugin exposes sensitive system information to unauthorized users. Attackers can retrieve embedded sensitive data from affected installations. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Restaurant Menu by MotoPress (mp-restaurant-menu)

Versions: All versions up to and including 2.4.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable plugin active.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to sensitive system information, database credentials, or configuration details that could lead to full site compromise.

🟠

Likely Case

Unauthorized users retrieve sensitive plugin or system configuration data that could be used for reconnaissance or further attacks.

🟢

If Mitigated

Limited exposure of non-critical system information with minimal impact on overall security posture.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Based on CWE-497 and CVSS score, exploitation likely requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.4.7

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-7-sensitive-data-exposure-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find 'Restaurant Menu by MotoPress'
4. Click 'Update Now' if available
5. If no update available, deactivate and remove the plugin

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Restaurant Menu by MotoPress plugin

wp plugin deactivate mp-restaurant-menu

🧯 If You Can't Patch

Implement web application firewall rules to block access to sensitive plugin endpoints
Restrict access to the WordPress admin interface using IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Restaurant Menu by MotoPress version

Check Version:

wp plugin get mp-restaurant-menu --field=version

Verify Fix Applied:

Verify plugin version is greater than 2.4.7

📡 Detection & Monitoring

Log Indicators:

Unusual requests to plugin-specific endpoints
Multiple failed attempts to access sensitive plugin files

Network Indicators:

HTTP requests to /wp-content/plugins/mp-restaurant-menu/ with unusual parameters

SIEM Query:

source="web_server" AND uri="/wp-content/plugins/mp-restaurant-menu/*" AND status=200

📊 Metadata

CVE ID: CVE-2025-49914

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-497

EPSS Score: 0.04% exploit probability (11.7th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-7-sensitive-data-exposure-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49914, you might also want to check these: