Security Alert Summary
The Restaurant Cafeteria WordPress theme contains insecure admin-ajax actions that lack nonce and capability checks, which allows any authenticated user (for example, a subscriber) to trigger privileged operations. According to the report, an attacker can install and activate a resource from a user-supplied URL leading to arbitrary PHP code execution, and import demo content that rewrites site configuration, pages, menus, and front page settings.
CVE Details
- CVE ID:
CVE-2025-15445 - Affected component: Restaurant Cafeteria WordPress theme
- Affected versions: through 0.4.6
- Published date: March 28, 2026 6:16 AM
- Last modified date: March 28, 2026 6:16 AM
- CVSS v3.1 base score / severity / vector: Not provided
- Authentication required: Yes – an authenticated, logged-in user (description notes “any logged-in user, like subscriber”)
- Privileges required: No elevated privileges beyond being a logged-in user (description indicates subscribers can trigger the actions)
- User interaction: Requires a logged-in user to trigger the vulnerable admin-ajax actions
- Primary impact:
- Confidentiality: Potential exposure depending on actions performed by arbitrary code
- Integrity: High – arbitrary PHP code execution and rewriting of site configuration, pages, menus, and front page settings
- Availability: Possible disruption if site configuration or code is modified
- CWE / weakness ID: Not provided
Technical Details
The theme exposes insecure admin-ajax actions that do not implement nonce verification or capability checks, allowing any authenticated user to call privileged operations. The provided description states that an attacker can “install and activate a from a user-supplied URL,” which leads to arbitrary PHP code execution. The theme also allows importing demo content that rewrites site configuration including theme-specific settings, pages, menus, and the front page assignment.
The root cause is missing server-side access controls on admin-ajax endpoints: absent nonce checks and absent capability validation mean the theme trusts authenticated requests without verifying the caller’s intent or privileges. Because these endpoints can trigger installation/activation and import routines, they permit actions that should be restricted to administrators.
How This Could Impact Your Website
Consider a small restaurant site with a site owner (administrator), a manager who publishes menus (editor), a staff member who updates hours (author), and a contributor who submits content. If a contributor or another authenticated user can call the unsecured admin-ajax actions, they could cause installation of external code and import demo content that changes site configuration. Practical consequences include altered navigation or front page settings, unintended pages or content appearing on the site, and potential execution of arbitrary PHP code introduced by the attacker.
Those outcomes can increase the exposure of internal user information, raise the risk of targeted phishing or social engineering against staff or customers, and disrupt front-end functionality. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected theme as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can be authenticated.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained themes and plugins.
- Monitor site activity and logs for unusual behavior such as unexpected plugin/theme installs, configuration changes, or imports.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
