CVE-2025-49447: 
WordPress vulnerability analysis and mitigation

CVE-2025-49447 is a critical security vulnerability affecting the FW Food Menu WordPress plugin versions up to 6.0.0. The vulnerability was discovered by LVT-tholv2k on April 25, 2025, and publicly disclosed on June 12, 2025. It is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability (Wiz, Patchstack).

The vulnerability has received a Critical CVSS v3.1 base score of 10.0 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. This scoring indicates that the vulnerability can be exploited over the network, requires no privileges or user interaction, and has high impacts on confidentiality, integrity, and availability (Wiz, Patchstack).

The vulnerability enables malicious actors to upload arbitrary files to the affected website, including potential backdoors that can be executed to gain further access to the website. Given its unauthenticated nature and critical severity rating, this vulnerability poses a significant risk and is expected to become mass exploited (Patchstack).

As of the disclosure, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement mitigation measures immediately (Patchstack).