WP-Safety

WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution Security & Risk Analysis

wordpress.org/plugins/wp-cafe

Complete restaurant solution for restaurant menus, online food ordering, delivery, reservations and booking

6K active installs v3.0.6 PHP 7.4+ WP 6.2+ Updated Feb 16, 2026
food-deliveryfood-menurestaurantrestaurant-bookingwoocommerce-food-ordering
91
A · Safe
CVEs total9
Unpatched0
Last CVEApr 17, 2025
Plugin page Download
Safety Verdict

Is WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution Safe to Use in 2026?

Generally Safe

Score 91/100

WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Apr 17, 2025Updated 1mo ago
Risk Assessment

The wp-cafe plugin version 3.0.6 exhibits a mixed security posture. While the static analysis reveals good practices in many areas, such as a high percentage of prepared SQL statements and properly escaped output, there are notable concerns. The presence of two AJAX handlers without authentication checks presents a significant risk, potentially allowing unauthorized actions. The extensive vulnerability history, with 9 known CVEs including high-severity issues like PHP Remote File Inclusion and Cross-site Scripting, is a major red flag. The fact that the last vulnerability was very recent (2025-04-17) indicates a recurring pattern of security weaknesses, even though none are currently unpatched.

Despite the positive aspects of the code analysis regarding SQL and output escaping, the two unprotected AJAX endpoints are a direct and immediate risk. The historical vulnerability data suggests a fundamental challenge in the plugin's development lifecycle, with a history of severe vulnerabilities that require ongoing patching. This history, combined with the unprotected entry points, suggests a plugin that may be prone to exploitation if not meticulously maintained and updated. The absence of critical taint flow issues and the low number of file operations or external HTTP requests are positive, but they do not outweigh the direct security gaps identified.

Key Concerns

  • Unprotected AJAX handlers
  • High number of past high/medium severity CVEs
  • Recent vulnerability discovered
Vulnerabilities
9

WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
5 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
6
Medium
3

9 total CVEs

CVE-2025-39452high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe <= 2.2.32 - Authenticated (Contributor+) Local File Inclusion

Apr 17, 2025 Patched in 2.2.33 (6d)
CVE-2025-30829high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe <= 2.2.31 - Authenticated (Contributor+) Local File Inclusion

Mar 27, 2025 Patched in 2.2.32 (8d)
CVE-2024-43135high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe <= 2.2.28 - Authenticated (Contributor+) Local File Inclusion

Aug 7, 2024 Patched in 2.2.29 (8d)
CVE-2024-37513high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe <= 2.2.27 - Authenticated (Contributor+) Local File Inclusion

Jul 5, 2024 Patched in 2.2.28 (7d)
CVE-2024-5431high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce <= 2.2.25 - Authenticated (Contributor+) File inclusion via Shortcode

Jun 24, 2024 Patched in 2.2.26 (1d)
CVE-2024-5427medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce <= 2.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Reservation Form Shortcode

May 30, 2024 Patched in 2.2.26 (1d)
CVE-2024-1855medium · 5.3Server-Side Request Forgery (SSRF)

WPCafe <= 2.2.23 - Unauthenticated Blind Server-Side Request Forgery

May 22, 2024 Patched in 2.2.24 (1d)
CVE-2023-47805medium · 5.3Missing Authorization

WPCafe <= 2.2.22 - Missing Authorization

Nov 15, 2023 Patched in 2.2.23 (154d)
WF-b49ae7fc-e860-4387-b596-12640ec7277f-wp-cafehigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCafe – Food Menu, WooCommerce Food Ordering, Food Delivery, Pickup and Restaurant Reservation <= 2.1.4 - Cross-Site Scripting

Aug 6, 2022 Patched in 2.2.0 (535d)
Code Analysis
Analyzed Mar 16, 2026

WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
27 prepared
Unescaped Output
115
721 escaped
Nonce Checks
9
Capability Checks
28
File Operations
1
External Requests
6
Bundled Libraries
0

SQL Query Safety

90% prepared30 total queries

Output Escaping

86% escaped836 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<table-session-handler> (core\food-order\qrcode\table-session-handler.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution Attack Surface

Entry Points15
Unprotected2

AJAX Handlers 15

authwp_ajax_wpc_check_latest_ordercore\food-order\liver-order\notifier.php:19
authwp_ajax_wpc_update_cart_quantitycore\food-order\mini-cart\mini-cart.php:45
noprivwp_ajax_wpc_update_cart_quantitycore\food-order\mini-cart\mini-cart.php:46
authwp_ajax_wpc_remove_cart_itemcore\food-order\mini-cart\mini-cart.php:49
noprivwp_ajax_wpc_remove_cart_itemcore\food-order\mini-cart\mini-cart.php:50
authwp_ajax_filter_food_locationcore\food-order\shortcodes\food-location-ajax.php:21
noprivwp_ajax_filter_food_locationcore\food-order\shortcodes\food-location-ajax.php:22
authwp_ajax_add_tipcore\food-order\tip\tipping-ajax.php:17
noprivwp_ajax_add_tipcore\food-order\tip\tipping-ajax.php:18
authwp_ajax_remove_tipcore\food-order\tip\tipping-ajax.php:20
noprivwp_ajax_remove_tipcore\food-order\tip\tipping-ajax.php:21
authwp_ajax_save_locationcore\location\location-selector.php:24
noprivwp_ajax_save_locationcore\location\location-selector.php:25
authwp_ajax_wpc_discard_reservationcore\reservation\reservation-hooks.php:30
noprivwp_ajax_wpc_discard_reservationcore\reservation\reservation-hooks.php:31
WordPress Hooks 102
actionrest_api_initbase\abstract\base-rest-controller.php:24
actioninitbase\init.php:106
actionadmin_noticesbase\plugin-compatibility-manager.php:177
actionadmin_noticesbase\plugin-compatibility-manager.php:242
actioninitbase\providers\base-service-provider.php:27
filterwpcafe_settingscore\admin\default-settings.php:20
actionadmin_menucore\admin\menu.php:20
actionadmin_noticescore\admin\migration-runner.php:21
actionadmin_enqueue_scriptscore\admin\migration-runner.php:22
actioninitcore\admin\post-status.php:20
filteradmin_body_classcore\admin\woo-admin.php:21
actionadmin_enqueue_scriptscore\admin\woo-admin.php:22
actionadmin_headcore\admin\woo-admin.php:23
filterredirect_post_locationcore\admin\woo-admin.php:24
actionwp_redirectcore\admin\woo-admin.php:25
filterwpc_gutenberg_blockscore\Blocks\block-service.php:31
actioninitcore\Blocks\block-types-controller.php:33
actioninitcore\Blocks\block-types-controller.php:34
actioninitcore\email-automation\Email_Automation_Dummy_Data_Manager.php:31
actionwoocommerce_new_ordercore\email-automation\Handlers\Order_Email_Handler.php:30
actionwoocommerce_order_status_changedcore\email-automation\Handlers\Order_Email_Handler.php:31
actionwpcafe_order_cancelledcore\email-automation\Handlers\Order_Email_Handler.php:32
filternotification_sdk_email_bodycore\email-automation\Service\email-notification.php:41
filterens_wpc_available_actionscore\email-automation\Service\email-notification.php:64
actionadmin_enqueue_scriptscore\food-order\liver-order\assets-manager.php:18
actionadmin_footercore\food-order\liver-order\assets-manager.php:19
filterheartbeat_receivedcore\food-order\liver-order\notifier.php:18
actionwp_headcore\food-order\mini-cart\mini-cart.php:33
actionwp_footercore\food-order\mini-cart\mini-cart.php:34
actionwp_enqueue_scriptscore\food-order\mini-cart\mini-cart.php:35
actionwoocommerce_widget_shopping_cart_before_buttonscore\food-order\mini-cart\mini-cart.php:38
actionwoocommerce_widget_shopping_cart_before_buttonscore\food-order\mini-cart\mini-cart.php:39
filterwoocommerce_add_to_cart_fragmentscore\food-order\mini-cart\mini-cart.php:41
filterwoocommerce_add_to_cart_fragmentscore\food-order\mini-cart\mini-cart.php:42
actionwp_loadedcore\food-order\qrcode\table-session-handler.php:21
actionwoocommerce_checkout_create_ordercore\food-order\qrcode\table-session-handler.php:22
filtermanage_woocommerce_page_wc-orders_columnscore\food-order\qrcode\table-session-handler.php:25
actionmanage_woocommerce_page_wc-orders_custom_columncore\food-order\qrcode\table-session-handler.php:26
actionmanage_shop_order_posts_custom_columncore\food-order\qrcode\table-session-handler.php:27
actionwoocommerce_order_details_before_order_tablecore\food-order\qrcode\table-session-handler.php:30
actionwoocommerce_admin_order_data_after_billing_addresscore\food-order\qrcode\table-session-handler.php:33
actionwoocommerce_email_order_metacore\food-order\qrcode\table-session-handler.php:35
filterwpc_product_query_argscore\food-order\shortcodes\food-menu-tab.php:125
actionwp_enqueue_scriptscore\food-order\tip\tipping-assets.php:16
actionwoocommerce_new_ordercore\food-order\tip\tipping-cleanup.php:17
actionwoocommerce_cart_calculate_feescore\food-order\tip\tipping-fee.php:17
actionwoocommerce_after_order_notescore\food-order\tip\tipping-form.php:17
actionwoocommerce_before_cart_totalscore\food-order\tip\tipping-form.php:18
filterwpcafe_settingscore\integrations\fluent-crm.php:22
actionwpcafe_after_reservation_createcore\integrations\fluent-crm.php:23
actionwoocommerce_checkout_order_processedcore\integrations\fluent-crm.php:24
actionwpcafe_after_reservation_createcore\integrations\pabbly.php:22
actionwoocommerce_checkout_order_processedcore\integrations\pabbly.php:23
actionwpcafe_after_reservation_createcore\integrations\zapier.php:22
actionwoocommerce_checkout_order_processedcore\integrations\zapier.php:23
actionwoocommerce_review_order_before_order_totalcore\location\location-selector.php:20
actionwp_footercore\location\location-selector.php:22
actionwoocommerce_checkout_create_ordercore\location\location-selector.php:27
actioninitcore\location\location-taxonomy.php:17
actionwoocommerce_order_list_table_restrict_manage_orderscore\location\order-filter.php:21
filterwoocommerce_order_query_argscore\location\order-filter.php:26
filtermanage_woocommerce_page_wc-orders_columnscore\location\order-filter.php:30
actionmanage_shop_order_posts_custom_columncore\location\order-filter.php:32
actionmanage_woocommerce_page_wc-orders_custom_columncore\location\order-filter.php:34
actionrestrict_manage_postscore\location\product-filter.php:21
filterparse_querycore\location\product-filter.php:26
actionwoocommerce_product_querycore\location\product-filter.php:31
actionwoocommerce_thankyoucore\modules\food-menu\hooks.php:127
actionwoocommerce_admin_order_data_after_billing_addresscore\modules\food-menu\hooks.php:128
filterwoocommerce_cart_redirect_after_errorcore\modules\food-menu\hooks.php:130
filterwoocommerce_add_to_cart_validationcore\modules\food-menu\hooks.php:131
actioninitcore\modules\food-menu\hooks.php:134
actionmanage_wpc_reservation_posts_custom_columncore\modules\reservation\wpc-reservation-report.php:17
actionrestrict_manage_postscore\modules\reservation\wpc-reservation-report.php:19
actionadmin_initcore\onboard\onboard-setup.php:20
filterwpcafe_settingscore\onboard\onboard-setup.php:21
actionadmin_initcore\onboard\onboard-setup.php:30
actionwoocommerce_checkout_create_order_line_itemcore\payments\gateways\wc\checkout-process.php:20
filterwoocommerce_get_cart_item_from_sessioncore\payments\gateways\wc\checkout-process.php:22
actionwoocommerce_payment_completecore\payments\gateways\wc\checkout-process.php:24
actionwoocommerce_order_status_changedcore\payments\gateways\wc\checkout-process.php:26
filterwoocommerce_checkout_fieldscore\payments\gateways\wc\checkout-process.php:28
actionwoocommerce_cart_calculate_feescore\payments\gateways\wc\checkout-process.php:30
filterwpcafe_payment_gatewayscore\payments\payment-setup.php:21
actionwpcafe_after_reservation_createcore\reservation\email\handlers\reservation-email-handler.php:24
actionwpcafe_after_reservation_cancelledcore\reservation\email\handlers\reservation-email-handler.php:25
actionwoocommerce_before_order_notescore\reservation\reservation-hooks.php:26
actionwoocommerce_new_ordercore\reservation\reservation-hooks.php:27
filterwpcafe_settingscore\reservation\reservation-hooks.php:28
filterwpc_available_email_triggerscore\reservation\reservation-hooks.php:29
actionadmin_post_wpcafe_rollbackcore\rollback\rollback-service.php:21
actionplugins_loadedupgrades\install-detector.php:33
actionadmin_initupgrades\upgrade-3-0-0\compatibility-handler.php:58
actioninitupgrades\upgrade-3-0-0\compatibility-handler.php:59
actionpre_update_option_active_pluginsupgrades\upgrade-3-0-0\version-guard.php:39
actionadmin_noticesupgrades\upgrade-3-0-0\version-guard.php:130
actionelementor/elements/categories_registeredwidgets\manifest.php:16
actionelementor/widgets/registerwidgets\manifest.php:17
actioninitwpcafe.php:32
actioninitwpcafe.php:33
filterupload_mimeswpcafe.php:74
filterwp_check_filetype_and_extwpcafe.php:90
Maintenance & Trust

WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 16, 2026
PHP min version7.4
Downloads260K

Community Trust

Rating90/100
Number of ratings94
Active installs6K
Alternatives

WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution Alternatives

Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin

Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin

orderable

B
75

Take your restaurant/food business online with the online ordering system plugin for WordPress, Orderable.

6K 1 unpatched
Food Menu – Restaurant Menu & Online Ordering for WooCommerce

Food Menu – Restaurant Menu & Online Ordering for WooCommerce

tlp-food-menu

A
99

A Simple Food & Restaurant Menu Display Plugin for Restaurant, Cafes, Fast Food, Coffee House with WooCommerce Online Ordering.

3K 1 CVE
Restaurant Menu and Food Ordering

Restaurant Menu and Food Ordering

mp-restaurant-menu

A
93

Create and maintain modern online menus for almost any kind of restaurant. Sell food and beverages online. All in one plugin.

2K 4 CVEs
Single Page Restaurant Menu for WooCommerce

Single Page Restaurant Menu for WooCommerce

single-page-restaurant-menu-for-woocommerce

A
85

This plugin is developed to list all woocommerce products/menus in a single page with category and editable cart information.

10 No CVEs
BookMyOrder – Food ordering, delivery, takeaway and reservation for restaurants

BookMyOrder – Food ordering, delivery, takeaway and reservation for restaurants

food-ordering-for-restaurants

A
92

BookMyOrder WordPress Plugin

0 No CVEs
Developer Profile

WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution Developer Profile

Arraytics

8 plugins · 20K total installs

91
trust score
Avg Security Score
95/100
Avg Patch Time
28 days
View full developer profile
Detection Fingerprints

How We Detect WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-cafe/assets/css/blocks.style.build.css/wp-content/plugins/wp-cafe/assets/css/frontend.css/wp-content/plugins/wp-cafe/assets/css/frontend.style.build.css/wp-content/plugins/wp-cafe/assets/css/admin.css/wp-content/plugins/wp-cafe/assets/js/frontend.asset.php/wp-content/plugins/wp-cafe/assets/js/blocks.editor.build.js/wp-content/plugins/wp-cafe/assets/js/frontend.js/wp-content/plugins/wp-cafe/assets/js/admin.js
Script Paths
/wp-content/plugins/wp-cafe/assets/js/blocks.editor.build.js/wp-content/plugins/wp-cafe/assets/js/frontend.js/wp-content/plugins/wp-cafe/assets/js/admin.js
Version Parameters
wp-cafe/assets/css/blocks.style.build.css?ver=wp-cafe/assets/css/frontend.css?ver=wp-cafe/assets/css/frontend.style.build.css?ver=wp-cafe/assets/css/admin.css?ver=wp-cafe/assets/js/blocks.editor.build.js?ver=wp-cafe/assets/js/frontend.js?ver=wp-cafe/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpcafe-migration-noticewpcafe-run-migrationwpcafe-migration-message
Data Attributes
data-notice="migration"data-rest-urldata-noncedata-success-messagedata-error-message
REST Endpoints
/wpcafe/v2/migration/run
FAQ

Frequently Asked Questions about WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution