CVE-2025-57894: 
WordPress vulnerability analysis and mitigation

The WPPizza WordPress plugin contains a Missing Authorization vulnerability (CVE-2025-57894) discovered on August 22, 2025. This security issue affects versions up to and including 3.19.8 of the WPPizza plugin, which is a restaurant management plugin for WordPress. The vulnerability allows authenticated users with Subscriber-level access to perform unauthorized actions due to incorrectly configured access control security levels (Patchstack, Rapid7).

The vulnerability is classified as a Missing Authorization (CWE-862) issue with a CVSS v3.1 base score of 4.3 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs low privileges, requires no user interaction, has unchanged scope, and can only impact integrity with low severity (Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to perform unauthorized actions within the WPPizza plugin. While the specific unauthorized actions are not detailed, the impact is primarily limited to integrity-related issues with no direct effect on confidentiality or availability (Rapid7).

The vulnerability has been fixed in version 3.19.8.1 of the WPPizza plugin. Users are advised to update to this version or later to resolve the security issue (Patchstack).