// For flags

CVE-2022-2696

Restaurant Menu – Food Ordering System – Table Reservation <= 2.3.0 - Missing Authorization on AJAX Actions

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to authorization bypass via several AJAX actions in versions up to, and including 2.3.0 due to missing capability checks and missing nonce validation. This makes it possible for authenticated attackers with minimal permissions to perform a wide variety of actions such as modifying the plugin's settings and modifying the ordering system preferences.

El complemento Restaurant Menu Food Ordering System Table Reservation para WordPress es vulnerable a la omisión de autorización a través de varias acciones AJAX en versiones hasta la 2.3.0 incluida debido a la falta de comprobaciones de capacidad y de validación nonce. Esto hace posible que atacantes autenticados con permisos mínimos realicen una amplia variedad de acciones, como modificar la configuración del complemento y modificar las preferencias del sistema de pedidos.

*Credits: ptsfence
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Complete
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-08-06 CVE Reserved
  • 2022-10-31 CVE Published
  • 2024-05-26 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-862: Missing Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oracle
Search vendor "Oracle"
 Restaurant Menu - Food Ordering System - Table Reservation
Search vendor "Oracle" for product "Restaurant Menu - Food Ordering System - Table Reservation"
 < 2.3.1
Search vendor "Oracle" for product "Restaurant Menu - Food Ordering System - Table Reservation" and version " < 2.3.1"
wordpress
Affected