WordPress plugins make building websites simple, but sometimes security mistakes slip in. _CVE-2022-2696_ is a serious vulnerability found in the popular Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress, impacting versions up to 2.3.. This vulnerability lets almost any logged-in user—no matter how low their role—modify your restaurant’s entire ordering and reservation system.
In this post, we’ll explain the bug in plain language, walk through how it works, look at a basic proof-of-concept exploit, and share links to official advisories and resources.
What Is CVE-2022-2696?
The “Restaurant Menu – Food Ordering System – Table Reservation” plugin helps restaurants create menus, handle online orders, and manage table bookings. Up through version 2.3., it had a critical flaw:
It does not properly check a user’s permissions or nonce values in key backend actions.
- This lets ANY logged-in user—including subscribers and customers—change the plugin’s settings or mess with the ordering system.
For site administrators, this could mean massive headaches: fake menu items, changed prices, or disruptions to your online ordering process.
Why Did This Happen?
WordPress provides tools—capability checks and nonces—to make sure only the right people can do sensitive things, like change menu settings. This plugin forgot to use those checks in several backend AJAX (background JavaScript) actions.
So long as a user is logged in (even with the lowest role), they could directly call these AJAX actions and make changes only admins should be able to make.
Here’s a simplified example
// Pseudo-code based on the plugin's vulnerable code
add_action('wp_ajax_wpos_save_menu_settings', 'wpos_save_menu_settings');
function wpos_save_menu_settings() {
// NO capability check: anyone can call this!
// NO nonce check!
$settings = $_POST['settings'];
update_option('restaurant_menu_settings', $settings);
wp_send_json_success('Settings updated!');
}
In this vulnerable code, even a “Subscriber” user in WordPress can call wp-admin/admin-ajax.php?action=wpos_save_menu_settings and update the restaurant menu settings.
Attacker logs in
3. Attacker crafts a POST request to the vulnerable AJAX action endpoint, which does not require any secret (nonce) or real admin permisson.
d 'action=wpos_save_menu_settings&settings[new-menu-setting]=malicious-value' \
https://victimsite.com/wp-admin/admin-ajax.php
Restaurant might lose business. Menu could be changed, orders sabotaged, tables blocked off.
If your WordPress allows anyone to register (many membership, store, and restaurant sites do), this bug is almost as dangerous as a full admin takeover.
How to Fix It
Upgrade to the latest version!\
The plugin authors patched this issue in version 2.3.1.
Fixed code example
function wpos_save_menu_settings() {
// Capabilities check (now only admins!)
if ( ! current_user_can('manage_options') ) {
wp_send_json_error('Unauthorized', 401);
}
// Nonce check
check_ajax_referer('wpos_settings_nonce', 'nonce');
// Now it's safe to do the update
$settings = $_POST['settings'];
update_option('restaurant_menu_settings', $settings);
wp_send_json_success('Settings updated!');
}
Original References & Advisories
- Patchstack CVE-2022-2696 Advisory
- Wordfence Vulnerability Entry
- NVD CVE Database Entry
Conclusion
If you use the “Restaurant Menu – Food Ordering System – Table Reservation” plugin, make sure it’s version 2.3.1 or newer. This vulnerability is easy to exploit by anyone with a simple WordPress account. Always keep your plugins (and WordPress itself) updated, and beware of plugins that don’t use WordPress’ built-in security checks.
Timeline
Published on: 11/03/2022 17:15:00 UTC
Last modified on: 11/04/2022 02:19:00 UTC