Medium-severity vulnerability CVE-2026-27071 (CVSS 5.3) affects the WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System WordPress plugin (wp-cafe) in versions up to and including 3.0.7. It is described as a “missing authorization” issue that can allow unauthenticated attackers to perform an unauthorized action.

Attack Vectors

This issue is remotely reachable over the internet (no physical access required) and does not require a logged-in user account, which increases exposure for any site running a vulnerable version of WPCafe.

From a business-risk standpoint, the most likely path is automated scanning: attackers routinely sweep the web for WordPress sites running specific plugin versions, then attempt the vulnerable action at scale.

Security Weakness

According to the published advisory, WPCafe (versions ≤ 3.0.7) is vulnerable due to a missing capability (authorization) check on a function. In practical terms, the plugin does not sufficiently confirm that a request is allowed before performing the action.

This is categorized as an authorization control gap rather than a password issue: even strong admin passwords and MFA may not prevent exploitation if the vulnerable function is exposed to unauthenticated requests.

Technical or Business Impacts

Because the advisory states only that an “unauthorized action” can be performed, the exact outcome will depend on how your site uses WPCafe and what the affected function does in your configuration. However, even limited unauthorized changes can create meaningful business risk.

Potential business impacts include disruption to online ordering or reservation workflows, damage to customer trust if site content or ordering experiences change unexpectedly, and operational costs for incident response, troubleshooting, and validation that pricing/menu/reservation settings remain accurate.

For compliance and governance teams, this also increases the risk of control failures around change management and website integrity—especially if the site is considered customer-facing production infrastructure.

Remediation: Update WPCafe to version 3.0.8 or newer patched version. Reference: Wordfence advisory.

Similar Attacks

WordPress plugin vulnerabilities are frequently used in real-world campaigns, particularly when they can be exploited remotely and at scale. Examples of widely exploited plugin-related incidents include:

WP File Manager vulnerability exploited in the wild (Wordfence)

Slider Revolution (RevSlider) vulnerability impacting many sites (Sucuri)

TimThumb vulnerability background and impact (Wordfence)