The Restaurant & Cafe Addon for Elementor WordPress plugin has a security vulnerability which allows unauthenticated attackers to modify the plugin’s settings without proper authorization. This vulnerability affects versions up to, and including, 1.5.3, and is caused by a missing capability check on multiple AJAX functions. Attackers are able to exploit this vulnerability if they are able to retrieve a nonce which is only displayed on an admin page that is protected by a capability check.