CVE-2023-0550: 
WordPress vulnerability analysis and mitigation

The Quick Restaurant Menu plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CVE-2023-0550) in versions up to and including 2.0.2. The vulnerability was discovered and disclosed on January 27, 2023 (NVD).

The vulnerability stems from the plugin's failure to verify post ID during menu item deletion/modification operations in AJAX actions. This oversight allows authenticated users with subscriber-level access or higher to potentially modify or delete arbitrary posts. The vulnerability has received varying CVSS scores, with NVD assigning a base score of 4.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, while Wordfence assessed it at 7.6 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L (NVD).

The vulnerability allows authenticated attackers with subscriber-level privileges or higher to modify or delete arbitrary posts on the affected WordPress installation, potentially leading to content manipulation or deletion beyond their intended permissions (NVD).

Users should update to version 2.1.0 or later of the Quick Restaurant Menu plugin, which contains fixes for this vulnerability. The fix can be found in the plugin's changelog and repository (WordPress Plugin).