Quick Restaurant Menu plugin for WordPress is vulnerable to Missing Authorization, Insecure Direct Object Reference, Cross-Site Request Forgery as well as Cross-Site Scripting in versions up to, and including 2.0.2.
The WordFence team found that contact information was not readily available for the vendor, so they reached out to the WordPress Plugin Security Team team directly on January 16, 2023 to report the security issues. The team acknowledged receipt of their email on January 18, 2023. All issues were addressed in version 2.1.0, which was released on January 20, 2023. Unfortunately, the plugin is still closed for downloads at this point, so we recommend manually downloading the patched version from this link and updating the plugin, or uninstalling the plugin completely until the plugin has been reinstated.
WordFence released a firewall rule addressing the lack of authorization checks on January 16, 2023.
Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions they are allowed to perform, it is not possible to provide full protection without blocking legitimate requests. As such, we recommend updating as soon as possible to ensure that your site is fully protected against any exploits that may target the Cross-Site Request Forgery vulnerability.
Source and more details: https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-quick-restaurant-menu-plugin