WP-Safety

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System Security & Risk Analysis

wordpress.org/plugins/wp-cafe

Restaurant menu plugin for online food ordering, delivery, pickup, table reservation & booking - QR ordering, visual table layouts & multi-location.

6K active installs v3.0.8 PHP 7.4+ WP 6.2+ Updated Apr 4, 2026
food-deliveryfood-menuonline-food-orderingrestaurantrestaurant-booking-system
88
A · Safe
CVEs total10
Unpatched0
Last CVEMar 12, 2026
Plugin page Download
Safety Verdict

Is WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System Safe to Use in 2026?

Generally Safe

Score 88/100

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

10 known CVEsLast CVE: Mar 12, 2026Updated 1mo ago
Risk Assessment

The wp-cafe plugin version 3.0.6 exhibits a mixed security posture. While the static analysis reveals good practices in many areas, such as a high percentage of prepared SQL statements and properly escaped output, there are notable concerns. The presence of two AJAX handlers without authentication checks presents a significant risk, potentially allowing unauthorized actions. The extensive vulnerability history, with 9 known CVEs including high-severity issues like PHP Remote File Inclusion and Cross-site Scripting, is a major red flag. The fact that the last vulnerability was very recent (2025-04-17) indicates a recurring pattern of security weaknesses, even though none are currently unpatched.

Despite the positive aspects of the code analysis regarding SQL and output escaping, the two unprotected AJAX endpoints are a direct and immediate risk. The historical vulnerability data suggests a fundamental challenge in the plugin's development lifecycle, with a history of severe vulnerabilities that require ongoing patching. This history, combined with the unprotected entry points, suggests a plugin that may be prone to exploitation if not meticulously maintained and updated. The absence of critical taint flow issues and the low number of file operations or external HTTP requests are positive, but they do not outweigh the direct security gaps identified.

Key Concerns

  • Unprotected AJAX handlers
  • High number of past high/medium severity CVEs
  • Recent vulnerability discovered
Vulnerabilities
10 published

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
5 CVEs in 2024
2024
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
6
Medium
4

10 total CVEs

CVE-2026-27071medium · 5.3Missing Authorization

WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution <= 3.0.7 - Missing Authorization

Mar 12, 2026 Patched in 3.0.8 (34d)
CVE-2025-39452high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe <= 2.2.32 - Authenticated (Contributor+) Local File Inclusion

Apr 17, 2025 Patched in 2.2.33 (6d)
CVE-2025-30829high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe <= 2.2.31 - Authenticated (Contributor+) Local File Inclusion

Mar 27, 2025 Patched in 2.2.32 (8d)
CVE-2024-43135high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe <= 2.2.28 - Authenticated (Contributor+) Local File Inclusion

Aug 7, 2024 Patched in 2.2.29 (8d)
CVE-2024-37513high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe <= 2.2.27 - Authenticated (Contributor+) Local File Inclusion

Jul 5, 2024 Patched in 2.2.28 (7d)
CVE-2024-5431high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce <= 2.2.25 - Authenticated (Contributor+) File inclusion via Shortcode

Jun 24, 2024 Patched in 2.2.26 (1d)
CVE-2024-5427medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce <= 2.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Reservation Form Shortcode

May 30, 2024 Patched in 2.2.26 (1d)
CVE-2024-1855medium · 5.3Server-Side Request Forgery (SSRF)

WPCafe <= 2.2.23 - Unauthenticated Blind Server-Side Request Forgery

May 22, 2024 Patched in 2.2.24 (1d)
CVE-2023-47805medium · 5.3Missing Authorization

WPCafe <= 2.2.22 - Missing Authorization

Nov 15, 2023 Patched in 2.2.23 (155d)
WF-b49ae7fc-e860-4387-b596-12640ec7277f-wp-cafehigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCafe – Food Menu, WooCommerce Food Ordering, Food Delivery, Pickup and Restaurant Reservation <= 2.1.4 - Cross-Site Scripting

Aug 6, 2022 Patched in 2.2.0 (535d)
Version History

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System Release Timeline

v3.0.8Current
v3.0.71 CVE
CVE-2026-27071
v3.0.61 CVE
CVE-2026-27071
v3.0.51 CVE
CVE-2026-27071
v3.0.41 CVE
CVE-2026-27071
v3.0.31 CVE
CVE-2026-27071
v3.0.21 CVE
CVE-2026-27071
v3.0.11 CVE
CVE-2026-27071
v3.0.01 CVE
CVE-2026-27071
v2.2.421 CVE
CVE-2026-27071
v2.2.411 CVE
CVE-2026-27071
v2.2.401 CVE
CVE-2026-27071
v2.2.391 CVE
CVE-2026-27071
v2.2.381 CVE
CVE-2026-27071
v2.2.371 CVE
CVE-2026-27071
v2.2.361 CVE
CVE-2026-27071
v2.2.351 CVE
CVE-2026-27071
v2.2.341 CVE
CVE-2026-27071
v2.2.331 CVE
CVE-2026-27071
v2.2.322 CVEs
CVE-2026-27071 CVE-2025-39452
Code Analysis
Analyzed Mar 16, 2026

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
27 prepared
Unescaped Output
115
721 escaped
Nonce Checks
9
Capability Checks
28
File Operations
1
External Requests
6
Bundled Libraries
0

SQL Query Safety

90% prepared30 total queries

Output Escaping

86% escaped836 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<table-session-handler> (core\food-order\qrcode\table-session-handler.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System Attack Surface

Entry Points15
Unprotected2

AJAX Handlers 15

authwp_ajax_wpc_check_latest_ordercore\food-order\liver-order\notifier.php:19
authwp_ajax_wpc_update_cart_quantitycore\food-order\mini-cart\mini-cart.php:45
noprivwp_ajax_wpc_update_cart_quantitycore\food-order\mini-cart\mini-cart.php:46
authwp_ajax_wpc_remove_cart_itemcore\food-order\mini-cart\mini-cart.php:49
noprivwp_ajax_wpc_remove_cart_itemcore\food-order\mini-cart\mini-cart.php:50
authwp_ajax_filter_food_locationcore\food-order\shortcodes\food-location-ajax.php:21
noprivwp_ajax_filter_food_locationcore\food-order\shortcodes\food-location-ajax.php:22
authwp_ajax_add_tipcore\food-order\tip\tipping-ajax.php:17
noprivwp_ajax_add_tipcore\food-order\tip\tipping-ajax.php:18
authwp_ajax_remove_tipcore\food-order\tip\tipping-ajax.php:20
noprivwp_ajax_remove_tipcore\food-order\tip\tipping-ajax.php:21
authwp_ajax_save_locationcore\location\location-selector.php:24
noprivwp_ajax_save_locationcore\location\location-selector.php:25
authwp_ajax_wpc_discard_reservationcore\reservation\reservation-hooks.php:30
noprivwp_ajax_wpc_discard_reservationcore\reservation\reservation-hooks.php:31
WordPress Hooks 102
actionrest_api_initbase\abstract\base-rest-controller.php:24
actioninitbase\init.php:106
actionadmin_noticesbase\plugin-compatibility-manager.php:177
actionadmin_noticesbase\plugin-compatibility-manager.php:242
actioninitbase\providers\base-service-provider.php:27
filterwpcafe_settingscore\admin\default-settings.php:20
actionadmin_menucore\admin\menu.php:20
actionadmin_noticescore\admin\migration-runner.php:21
actionadmin_enqueue_scriptscore\admin\migration-runner.php:22
actioninitcore\admin\post-status.php:20
filteradmin_body_classcore\admin\woo-admin.php:21
actionadmin_enqueue_scriptscore\admin\woo-admin.php:22
actionadmin_headcore\admin\woo-admin.php:23
filterredirect_post_locationcore\admin\woo-admin.php:24
actionwp_redirectcore\admin\woo-admin.php:25
filterwpc_gutenberg_blockscore\Blocks\block-service.php:31
actioninitcore\Blocks\block-types-controller.php:33
actioninitcore\Blocks\block-types-controller.php:34
actioninitcore\email-automation\Email_Automation_Dummy_Data_Manager.php:31
actionwoocommerce_new_ordercore\email-automation\Handlers\Order_Email_Handler.php:30
actionwoocommerce_order_status_changedcore\email-automation\Handlers\Order_Email_Handler.php:31
actionwpcafe_order_cancelledcore\email-automation\Handlers\Order_Email_Handler.php:32
filternotification_sdk_email_bodycore\email-automation\Service\email-notification.php:41
filterens_wpc_available_actionscore\email-automation\Service\email-notification.php:64
actionadmin_enqueue_scriptscore\food-order\liver-order\assets-manager.php:18
actionadmin_footercore\food-order\liver-order\assets-manager.php:19
filterheartbeat_receivedcore\food-order\liver-order\notifier.php:18
actionwp_headcore\food-order\mini-cart\mini-cart.php:33
actionwp_footercore\food-order\mini-cart\mini-cart.php:34
actionwp_enqueue_scriptscore\food-order\mini-cart\mini-cart.php:35
actionwoocommerce_widget_shopping_cart_before_buttonscore\food-order\mini-cart\mini-cart.php:38
actionwoocommerce_widget_shopping_cart_before_buttonscore\food-order\mini-cart\mini-cart.php:39
filterwoocommerce_add_to_cart_fragmentscore\food-order\mini-cart\mini-cart.php:41
filterwoocommerce_add_to_cart_fragmentscore\food-order\mini-cart\mini-cart.php:42
actionwp_loadedcore\food-order\qrcode\table-session-handler.php:21
actionwoocommerce_checkout_create_ordercore\food-order\qrcode\table-session-handler.php:22
filtermanage_woocommerce_page_wc-orders_columnscore\food-order\qrcode\table-session-handler.php:25
actionmanage_woocommerce_page_wc-orders_custom_columncore\food-order\qrcode\table-session-handler.php:26
actionmanage_shop_order_posts_custom_columncore\food-order\qrcode\table-session-handler.php:27
actionwoocommerce_order_details_before_order_tablecore\food-order\qrcode\table-session-handler.php:30
actionwoocommerce_admin_order_data_after_billing_addresscore\food-order\qrcode\table-session-handler.php:33
actionwoocommerce_email_order_metacore\food-order\qrcode\table-session-handler.php:35
filterwpc_product_query_argscore\food-order\shortcodes\food-menu-tab.php:125
actionwp_enqueue_scriptscore\food-order\tip\tipping-assets.php:16
actionwoocommerce_new_ordercore\food-order\tip\tipping-cleanup.php:17
actionwoocommerce_cart_calculate_feescore\food-order\tip\tipping-fee.php:17
actionwoocommerce_after_order_notescore\food-order\tip\tipping-form.php:17
actionwoocommerce_before_cart_totalscore\food-order\tip\tipping-form.php:18
filterwpcafe_settingscore\integrations\fluent-crm.php:22
actionwpcafe_after_reservation_createcore\integrations\fluent-crm.php:23
actionwoocommerce_checkout_order_processedcore\integrations\fluent-crm.php:24
actionwpcafe_after_reservation_createcore\integrations\pabbly.php:22
actionwoocommerce_checkout_order_processedcore\integrations\pabbly.php:23
actionwpcafe_after_reservation_createcore\integrations\zapier.php:22
actionwoocommerce_checkout_order_processedcore\integrations\zapier.php:23
actionwoocommerce_review_order_before_order_totalcore\location\location-selector.php:20
actionwp_footercore\location\location-selector.php:22
actionwoocommerce_checkout_create_ordercore\location\location-selector.php:27
actioninitcore\location\location-taxonomy.php:17
actionwoocommerce_order_list_table_restrict_manage_orderscore\location\order-filter.php:21
filterwoocommerce_order_query_argscore\location\order-filter.php:26
filtermanage_woocommerce_page_wc-orders_columnscore\location\order-filter.php:30
actionmanage_shop_order_posts_custom_columncore\location\order-filter.php:32
actionmanage_woocommerce_page_wc-orders_custom_columncore\location\order-filter.php:34
actionrestrict_manage_postscore\location\product-filter.php:21
filterparse_querycore\location\product-filter.php:26
actionwoocommerce_product_querycore\location\product-filter.php:31
actionwoocommerce_thankyoucore\modules\food-menu\hooks.php:127
actionwoocommerce_admin_order_data_after_billing_addresscore\modules\food-menu\hooks.php:128
filterwoocommerce_cart_redirect_after_errorcore\modules\food-menu\hooks.php:130
filterwoocommerce_add_to_cart_validationcore\modules\food-menu\hooks.php:131
actioninitcore\modules\food-menu\hooks.php:134
actionmanage_wpc_reservation_posts_custom_columncore\modules\reservation\wpc-reservation-report.php:17
actionrestrict_manage_postscore\modules\reservation\wpc-reservation-report.php:19
actionadmin_initcore\onboard\onboard-setup.php:20
filterwpcafe_settingscore\onboard\onboard-setup.php:21
actionadmin_initcore\onboard\onboard-setup.php:30
actionwoocommerce_checkout_create_order_line_itemcore\payments\gateways\wc\checkout-process.php:20
filterwoocommerce_get_cart_item_from_sessioncore\payments\gateways\wc\checkout-process.php:22
actionwoocommerce_payment_completecore\payments\gateways\wc\checkout-process.php:24
actionwoocommerce_order_status_changedcore\payments\gateways\wc\checkout-process.php:26
filterwoocommerce_checkout_fieldscore\payments\gateways\wc\checkout-process.php:28
actionwoocommerce_cart_calculate_feescore\payments\gateways\wc\checkout-process.php:30
filterwpcafe_payment_gatewayscore\payments\payment-setup.php:21
actionwpcafe_after_reservation_createcore\reservation\email\handlers\reservation-email-handler.php:24
actionwpcafe_after_reservation_cancelledcore\reservation\email\handlers\reservation-email-handler.php:25
actionwoocommerce_before_order_notescore\reservation\reservation-hooks.php:26
actionwoocommerce_new_ordercore\reservation\reservation-hooks.php:27
filterwpcafe_settingscore\reservation\reservation-hooks.php:28
filterwpc_available_email_triggerscore\reservation\reservation-hooks.php:29
actionadmin_post_wpcafe_rollbackcore\rollback\rollback-service.php:21
actionplugins_loadedupgrades\install-detector.php:33
actionadmin_initupgrades\upgrade-3-0-0\compatibility-handler.php:58
actioninitupgrades\upgrade-3-0-0\compatibility-handler.php:59
actionpre_update_option_active_pluginsupgrades\upgrade-3-0-0\version-guard.php:39
actionadmin_noticesupgrades\upgrade-3-0-0\version-guard.php:130
actionelementor/elements/categories_registeredwidgets\manifest.php:16
actionelementor/widgets/registerwidgets\manifest.php:17
actioninitwpcafe.php:32
actioninitwpcafe.php:33
filterupload_mimeswpcafe.php:74
filterwp_check_filetype_and_extwpcafe.php:90
Maintenance & Trust

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 4, 2026
PHP min version7.4
Downloads266K

Community Trust

Rating90/100
Number of ratings96
Active installs6K
Alternatives

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System Alternatives

Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin

Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin

orderable

B
75

Take your restaurant/food business online with the online ordering system plugin for WordPress, Orderable.

6K 1 unpatched
Food Menu – Restaurant Menu & Online Ordering for WooCommerce

Food Menu – Restaurant Menu & Online Ordering for WooCommerce

tlp-food-menu

A
99

A Simple Food & Restaurant Menu Display Plugin for Restaurant, Cafes, Fast Food, Coffee House with WooCommerce Online Ordering.

3K 1 CVE
Restaurant Menu and Food Ordering

Restaurant Menu and Food Ordering

mp-restaurant-menu

A
95

Create and maintain modern online menus for almost any kind of restaurant. Sell food and beverages online. All in one plugin.

2K 4 CVEs
Single Page Restaurant Menu for WooCommerce

Single Page Restaurant Menu for WooCommerce

single-page-restaurant-menu-for-woocommerce

A
85

This plugin is developed to list all woocommerce products/menus in a single page with category and editable cart information.

10 No CVEs
BookMyOrder – Food ordering, delivery, takeaway and reservation for restaurants

BookMyOrder – Food ordering, delivery, takeaway and reservation for restaurants

food-ordering-for-restaurants

A
85

BookMyOrder WordPress Plugin

0 No CVEs
Developer Profile

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System Developer Profile

Arraytics

10 plugins · 20K total installs

91
trust score
Avg Security Score
95/100
Avg Patch Time
27 days
View full developer profile
Detection Fingerprints

How We Detect WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-cafe/assets/css/blocks.style.build.css/wp-content/plugins/wp-cafe/assets/css/frontend.css/wp-content/plugins/wp-cafe/assets/css/frontend.style.build.css/wp-content/plugins/wp-cafe/assets/css/admin.css/wp-content/plugins/wp-cafe/assets/js/frontend.asset.php/wp-content/plugins/wp-cafe/assets/js/blocks.editor.build.js/wp-content/plugins/wp-cafe/assets/js/frontend.js/wp-content/plugins/wp-cafe/assets/js/admin.js
Script Paths
/wp-content/plugins/wp-cafe/assets/js/blocks.editor.build.js/wp-content/plugins/wp-cafe/assets/js/frontend.js/wp-content/plugins/wp-cafe/assets/js/admin.js
Version Parameters
wp-cafe/assets/css/blocks.style.build.css?ver=wp-cafe/assets/css/frontend.css?ver=wp-cafe/assets/css/frontend.style.build.css?ver=wp-cafe/assets/css/admin.css?ver=wp-cafe/assets/js/blocks.editor.build.js?ver=wp-cafe/assets/js/frontend.js?ver=wp-cafe/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpcafe-migration-noticewpcafe-run-migrationwpcafe-migration-message
Data Attributes
data-notice="migration"data-rest-urldata-noncedata-success-messagedata-error-message
REST Endpoints
/wpcafe/v2/migration/run
FAQ

Frequently Asked Questions about WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System