Platform
wordpress
Component
fw-food-menu
Fixed in
6.0.1
CVE-2025-49448 describes an Arbitrary File Access vulnerability within the FW Food Menu plugin, a component for WordPress websites. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file paths. The issue affects versions of FW Food Menu from n/a up to and including 6.0.0. A patch has been released in version 6.0.1.
The Arbitrary File Access vulnerability allows an attacker to read arbitrary files from the web server's file system. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress installation and potentially the underlying server. While the description doesn't specify a direct remote code execution path, the exposure of sensitive configuration data could be leveraged to gain further access and control. The impact is amplified if the server hosts multiple WordPress sites or if the exposed data contains credentials for other systems.
CVE-2025-49448 was published on 2025-06-27. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept code is not currently available, but the path traversal nature of the vulnerability makes it likely that such code will emerge. The vulnerability's ease of exploitation increases the risk of opportunistic attacks.
Exploit Status
EPSS
0.10% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49448 is to immediately upgrade the FW Food Menu plugin to version 6.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Restrict file permissions on sensitive directories to prevent unauthorized access. Monitor WordPress access logs for suspicious file access attempts, particularly those involving path traversal patterns. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual file access patterns is recommended.
Actualice el plugin FW Food Menu a la última versión disponible para corregir la vulnerabilidad de recorrido de ruta. Verifique las actualizaciones disponibles en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49448 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server through the FW Food Menu plugin. It affects versions before 6.0.1 and requires immediate attention.
You are affected if your WordPress site uses the FW Food Menu plugin and is running a version prior to 6.0.1. Check your plugin versions and upgrade immediately if vulnerable.
Upgrade the FW Food Menu plugin to version 6.0.1 or later. If upgrading is not possible, implement a WAF rule to block path traversal attempts and restrict file permissions.
There is currently no confirmed active exploitation of CVE-2025-49448, but the vulnerability's nature makes it a potential target for opportunistic attacks.
Refer to the official FW Food Menu website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-49448.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.