CVE-2025-8491: 
WordPress vulnerability analysis and mitigation

The Easy restaurant menu manager plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 2.0.2. The vulnerability was discovered on August 12, 2025 and publicly disclosed on August 13, 2025. The issue affects the nsceprmsave_menu() function due to missing or incorrect nonce validation (NVD, Rapid7).

The vulnerability exists in the nsceprmsave_menu() function of the plugin which lacks proper nonce validation for menu file uploads. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is tracked as CWE-352 (Cross-Site Request Forgery) (NVD, Wordfence).

If exploited, this vulnerability allows unauthenticated attackers to upload menu files through forged requests by tricking site administrators into clicking malicious links. This could potentially lead to unauthorized file uploads and manipulation of restaurant menu content (NVD).

A security fix has been implemented in the plugin's source code by adding proper nonce validation to the nsceprmsavemenu() function. Site administrators are advised to update their Easy restaurant menu manager plugin to the latest version that includes this security fix ([WordPress Plugin](https://plugins.trac.wordpress.org/changeset/3338246/easy-pdf-restaurant-menu-upload/trunk/class/classadmineasypdfrestaurantmenu.php)).