PatchSiren cyber security CVE debrief
CVE-2026-11818 arraytics CVE debrief
The WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to list, create, update, delete, clone, and bulk-delete notification flow workflows that are intended to be managed only by administrators. The vulnerability has a medium priority due to the potential for authenticated attackers to perform unauthorized actions.
- Vendor
- arraytics
- Product
- WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress, especially those with subscriber-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites. This includes updating to a patched version, restricting access to sensitive workflows, and monitoring for suspicious activity.
Technical summary
The WPCafe plugin does not properly verify user authorization, allowing authenticated attackers with subscriber-level access to manage notification flow workflows intended for administrators. The vulnerability exists in all versions up to and including 3.0.14 and is due to insufficient checks, with only a wp_rest nonce check in place, which can be obtained by any logged-in user. This could lead to unauthorized actions being performed, including listing, creating, updating, deleting, cloning, and bulk-deleting notification flow workflows.
Defensive priority
Medium priority due to the potential for authenticated attackers to perform unauthorized actions.
Recommended defensive actions
- Update to a patched version of the WPCafe plugin
- Restrict access to sensitive workflows and endpoints
- Monitor for suspicious activity related to notification flow workflows
- Implement additional authorization checks for user actions
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-10T04:17:47.277Z and was last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The WPCafe plugin does not properly verify user authorization, allowing authenticated attackers with subscriber-level access to manage notification flow workflows intended for administrators.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T04:17:47.277Z and has not been modified since then. The NVD entry is currently Deferred.