Plattform
wordpress
Komponente
fw-food-menu
Behoben in
6.0.1
CVE-2025-49448 describes an Arbitrary File Access vulnerability within the FW Food Menu WordPress plugin. This vulnerability allows attackers to potentially read arbitrary files on the server by manipulating file paths. The issue affects versions of FW Food Menu from n/a up to and including 6.0.0. A patch has been released in version 6.0.1.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive files on the web server. This could include configuration files containing database credentials, source code, or other confidential data. Successful exploitation could lead to data breaches, compromise of the entire WordPress installation, and potential lateral movement within the network if the server has access to other resources. The impact is amplified if the server hosts multiple websites or applications, increasing the potential blast radius.
This vulnerability was publicly disclosed on 2025-06-27. No public proof-of-concept code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The HIGH CVSS score indicates a significant risk, and proactive mitigation is recommended.
WordPress websites utilizing the FW Food Menu plugin are at risk. This includes sites with legacy configurations, shared hosting environments where file permissions may be less restrictive, and those that haven't implemented robust security monitoring practices. Sites using older, unmaintained versions of WordPress are also at increased risk due to potential compatibility issues with the updated plugin.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/fw-food-menu/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/fw-food-menu/../../../../etc/passwd' # Check for file disclosure• wordpress / composer / npm:
wp plugin list --status=active | grep 'fw-food-menu'• wordpress / composer / npm:
wp plugin update fw-food-menudisclosure
Exploit-Status
EPSS
0.10% (26% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the FW Food Menu plugin to version 6.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review file permissions on the server to ensure that sensitive files are not accessible by the web server user. Monitor access logs for suspicious file access attempts.
Actualice el plugin FW Food Menu a la última versión disponible para corregir la vulnerabilidad de recorrido de ruta. Verifique las actualizaciones disponibles en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49448 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server through the FW Food Menu plugin. It affects versions before 6.0.1 and requires immediate attention.
You are affected if your WordPress site uses the FW Food Menu plugin and is running a version prior to 6.0.1. Check your plugin versions and upgrade immediately if vulnerable.
Upgrade the FW Food Menu plugin to version 6.0.1 or later. If upgrading is not possible, implement a WAF rule to block path traversal attempts and restrict file permissions.
There is currently no confirmed active exploitation of CVE-2025-49448, but the vulnerability's nature makes it a potential target for opportunistic attacks.
Refer to the official FW Food Menu website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-49448.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.