The plugin does not ensure that the menu to be deleted/updated is actually a menu, and does not have authorisation in the related AJAX actions, which could allow any authenticated users, such as subscriber, to delete and update arbitrary posts
CPE | Name | Operator | Version |
---|---|---|---|
quick-restaurant-menu | lt | 2.1.0 |