CVE-2025-15445
Insecure Admin-Ajax Actions in Restaurant Cafeteria Theme Enable RCE
Publication date: 2026-03-28
Last updated on: 2026-03-29
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| restaurant_cafeteria | restaurant_cafeteria | to 0.4.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15445 affects the WordPress theme "Restaurant Cafeteria" versions up to 0.4.6 and involves insecure admin-ajax actions that lack nonce or capability checks.
This means that any logged-in user, even those with minimal privileges like subscribers, can perform privileged operations that should normally be restricted.
Specifically, an attacker can supply a URL hosting a malicious plugin ZIP file and use the AJAX action `restaurant_cafeteria_install_and_activate_plugin` to download, extract, and activate this plugin on the target site.
Activation of this plugin leads to arbitrary PHP code execution (Remote Code Execution) on the site.
Additionally, another AJAX action `import_theme_mods` can be exploited to import demo content that overwrites site configurations such as theme modifications, pages, menus, and front page settings without authorization.
How can this vulnerability impact me? :
This vulnerability allows low-privileged users to perform actions normally reserved for administrators, including installing and activating arbitrary plugins.
As a result, an attacker can execute arbitrary PHP code on your WordPress site, potentially taking full control over it.
Moreover, the attacker can modify your site's configuration and content by importing demo content that rewrites theme settings, pages, menus, and front page layouts.
These impacts can lead to site defacement, data loss, unauthorized access, and compromise of the entire website environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or suspicious POST requests to the WordPress admin-ajax.php endpoint that invoke the vulnerable AJAX actions.
- Monitor POST requests to wp-admin/admin-ajax.php with the action parameter set to 'restaurant_cafeteria_install_and_activate_plugin' or 'import_theme_mods'.
- Look for POST requests containing parameters that specify plugin installation details or theme modification imports.
Example command to detect such requests in web server logs (assuming Apache logs):
- grep 'admin-ajax.php' /var/log/apache2/access.log | grep -E 'action=restaurant_cafeteria_install_and_activate_plugin|action=import_theme_mods'
Additionally, monitoring for unexpected plugin installations or activations via WordPress CLI or dashboard could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable AJAX actions and limiting user capabilities.
- Restrict access to wp-admin/admin-ajax.php to trusted users only, for example by IP whitelisting or authentication.
- Temporarily disable or remove the Restaurant Cafeteria WordPress theme version 0.4.6 or earlier until a patch is available.
- Limit the roles that can log in to the WordPress site, especially restricting subscriber or low-privileged users from accessing admin-ajax actions.
- Monitor the site for any unauthorized plugin installations or changes to site configuration.
Since no fix is available at the time of reporting, these steps help reduce the attack surface and prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any logged-in user, including low-privileged ones, to perform privileged operations such as arbitrary plugin installation and activation, leading to remote code execution and unauthorized modification of site configuration and content.
Such unauthorized access and control over the website can lead to potential data breaches, unauthorized data manipulation, and loss of integrity and confidentiality of data hosted on the site.
These impacts can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls, data protection, and integrity safeguards to prevent unauthorized access and modification.