CVE-2025-8491: 
WordPress vulnerability analysis and mitigation

The Easy Restaurant Menu Manager WordPress plugin versions up to 2.0.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that could allow attackers to inject malicious files instead of menu files. The vulnerability was discovered and assigned CVE-2025-8491, with disclosure on August 2, 2025 (WordPress Plugin).

The vulnerability exists in the menu upload functionality where the plugin failed to properly implement CSRF protection. When an admin clicks on an attacker's crafted link, it could lead to unauthorized file upload capabilities. The issue was fixed by implementing proper CSRF protection through the addition of nonce verification with 'checkadminreferer()' function (WordPress Plugin).

If successfully exploited, an attacker could trick an authenticated administrator into uploading malicious files to the server instead of legitimate menu files, potentially leading to remote code execution or other security compromises (WordPress Plugin).

Users should update to version 2.0.3 or later of the Easy Restaurant Menu Manager plugin which includes the security fix. The patch implements proper CSRF protection by adding nonce verification to the file upload functionality (WordPress Plugin).