via wordfence.com => original post link
On January 16, 2023, the Wordfence Threat Intelligence team responsibly disclosed several vulnerabilities in Quick Restaurant Menu, a WordPress plugin that allows users to set up restaurant menus on their sites. This plugin is vulnerable to Missing Authorization, Insecure Direct Object Reference, Cross-Site Request Forgery as well as Cross-Site Scripting in versions up to, and including 2.0.2.
We found that contact information was not readily available for the vendor, so we reached out to the WordPress Plugin Security Team team directly on January 16, 2023 to report the security issues. The team acknowledged receipt of our email on January 18, 2023. All issues were addressed in version 2.1.0, which was released on January 20, 2023. Unfortunately, the plugin is still closed for downloads at this point, so we recommend manually downloading the patched version from this link and updating the plugin, or uninstalling the plugin completely until the plugin has been reinstated.
We released a firewall rule addressing the lack of authorization checks on January 16, 2023. Premium, Care, and Response customers received that protection the same day, while sites still running the free version of Wordfence will receive the same protection 30 days later on February 15, 2023.