CVE-2025-15445 PUBLISHED

Restaurant Cafeteria <= 0.4.6 - Subscriber+ Arbitrary Plugin Installation/Activation

Assigner: WPScan
Reserved: 04.01.2026 Published: 28.03.2026 Updated: 28.03.2026

The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings.

Product Status

Vendor	Unknown
Product	Restaurant Cafeteria
Versions	Default: unknown affected from 0 to 0.4.6 (incl.)

Credits

Khaled Alenazi (Nxploited) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/f3f4a734-5828-4e3f-a170-28189aeda929/

Problem Types

CWE-862 Missing Authorization CWE