Platform
wordpress
Component
fw-food-menu
Fixed in
6.0.1
CVE-2025-49447 describes an Arbitrary File Access vulnerability within the FW Food Menu component developed by Fastw3b LLC. This flaw enables unauthorized users to upload files of any type, regardless of intended restrictions, potentially leading to severe consequences. The vulnerability impacts versions of FW Food Menu prior to 6.0.1. A patch is available in version 6.0.1.
The Arbitrary File Access vulnerability in FW Food Menu poses a significant threat. An attacker could upload malicious files, such as web shells (e.g., PHP, ASPX) or executable code, to the server. Successful upload and execution could grant the attacker remote code execution (RCE) capabilities, effectively compromising the entire system. Furthermore, attackers could upload files containing malware to infect users accessing the website. The blast radius extends beyond the immediate application, potentially impacting the underlying server and any connected systems. The ability to upload arbitrary files bypasses standard security controls, making this a high-risk vulnerability. The lack of file type validation is the root cause, allowing attackers to circumvent intended restrictions.
CVE-2025-49447 was published on 2025-06-17. The vulnerability's critical CVSS score (10) indicates a high probability of exploitation. There are currently no known public Proof-of-Concept (POC) exploits available, but the ease of exploitation (unrestricted upload) suggests that POCs are likely to emerge. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog, nor does it have an EPSS score. Active campaigns targeting this vulnerability are not currently known, but given the severity and ease of exploitation, monitoring is crucial.
Exploit Status
EPSS
0.10% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49447 is to immediately upgrade FW Food Menu to version 6.0.1 or later. If upgrading is not immediately feasible, implement temporary workarounds. Restrict file uploads to only explicitly allowed file types using server-side validation. Configure your web server to block execution of uploaded files within the webroot. Consider implementing a Web Application Firewall (WAF) with rules to detect and block suspicious file uploads. Monitor file system activity for unexpected file creations or modifications, particularly within the upload directory. After upgrading, confirm the fix by attempting to upload a file with a disallowed extension (e.g., .php) and verifying that the upload is rejected.
Actualice el plugin FW Food Menu a la última versión disponible para solucionar la vulnerabilidad de subida de archivos arbitrarios. Verifique las actualizaciones disponibles en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
It's a critical Arbitrary File Access vulnerability in Fastw3b LLC's FW Food Menu, allowing attackers to upload malicious files.
If you're using FW Food Menu versions prior to 6.0.1, you are vulnerable. Check your installation immediately.
Upgrade to FW Food Menu version 6.0.1 or later. Implement temporary workarounds like file type restrictions if immediate upgrade isn't possible.
While no active campaigns are currently known, the vulnerability's severity and ease of exploitation suggest it's a potential target.
Refer to the official Fastw3b LLC advisory (if available) and the NVD entry for CVE-2025-49447 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.