PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11818 arraytics CVE debrief

The WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to list, create, update, delete, clone, and bulk-delete notification flow workflows that are intended to be managed only by administrators. The vulnerability has a medium priority due to the potential for authenticated attackers to perform unauthorized actions.

Vendor
arraytics
Product
WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress, especially those with subscriber-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites. This includes updating to a patched version, restricting access to sensitive workflows, and monitoring for suspicious activity.

Technical summary

The WPCafe plugin does not properly verify user authorization, allowing authenticated attackers with subscriber-level access to manage notification flow workflows intended for administrators. The vulnerability exists in all versions up to and including 3.0.14 and is due to insufficient checks, with only a wp_rest nonce check in place, which can be obtained by any logged-in user. This could lead to unauthorized actions being performed, including listing, creating, updating, deleting, cloning, and bulk-deleting notification flow workflows.

Defensive priority

Medium priority due to the potential for authenticated attackers to perform unauthorized actions.

Recommended defensive actions

  • Update to a patched version of the WPCafe plugin
  • Restrict access to sensitive workflows and endpoints
  • Monitor for suspicious activity related to notification flow workflows
  • Implement additional authorization checks for user actions
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-10T04:17:47.277Z and was last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The WPCafe plugin does not properly verify user authorization, allowing authenticated attackers with subscriber-level access to manage notification flow workflows intended for administrators.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T04:17:47.277Z and has not been modified since then. The NVD entry is currently Deferred.