CVE-2025-0181: 
WordPress vulnerability analysis and mitigation

The WP Foodbakery plugin for WordPress (versions up to and including 4.7) contains an authentication bypass vulnerability (CVE-2025-0181) discovered on February 10, 2025. The vulnerability affects the plugin's user authentication mechanism and impacts websites using the WP Foodbakery plugin for restaurant management and food delivery services (NVD, WPScan).

The vulnerability stems from improper validation of user identity prior to setting the current user and their authentication cookie. This authentication bypass vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD, WPScan).

The vulnerability allows unauthenticated attackers to gain unauthorized access to target user accounts, including administrator accounts. This could lead to complete compromise of the affected WordPress sites, potentially allowing attackers to modify content, access sensitive information, and take control of site administration (NVD).

Currently, there is no known fix available for this vulnerability. Website administrators using the WP Foodbakery plugin are advised to consider temporarily disabling the plugin until a security patch is released (WPScan).