CVE-2025-49448: 
WordPress vulnerability analysis and mitigation

An Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability was discovered in Fastw3b LLC's FW Food Menu WordPress plugin, affecting versions up to 6.0.0. The vulnerability was initially reported by security researcher LVT-tholv2k on April 25, 2025, and was publicly disclosed on June 24, 2025. The vulnerability has been assigned CVE-2025-49448 and is classified as a high-severity issue with a CVSS score of 8.6 (Patchstack).

The vulnerability is classified as an Arbitrary File Deletion issue, falling under the CWE-22 category (Improper Limitation of a Pathname to a Restricted Directory). It has received a CVSS v3.1 base score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. The vulnerability can be exploited without authentication, making it particularly dangerous (Patchstack).

The vulnerability allows malicious actors to delete files from affected websites. If core files are targeted, it could result in website breakage and loss of functionality. The high CVSS score indicates that this vulnerability is considered highly dangerous and is expected to become a target for mass exploitation (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch immediately as a temporary solution until an official fix becomes available (Patchstack).