Description
The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-11-08
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is caused by missing file type validation in the upload endpoint of the Alex Reservations plugin. An authenticated attacker with Administrator or higher privilege can call /wp-json/srr/v1/app/upload/file and upload any file. Because the plugin does not check the MIME type or extension, the attacker can place executable code, such as a PHP script, on the server. If the upload directory allows execution, the attacker can run that code, leading to remote compromise of the WordPress site and the underlying server.

Affected Systems

All WordPress installations running the Alex Reservations: Smart Restaurant Booking plugin version 2.2.3 or earlier are affected. The issue exists in the plugin’s upload controller and applies to any site that has the plugin installed and active.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is presently unlikely and it is not listed in the CISA KEV catalog. However, the need for Administrator‑level credentials is a significant barrier that can still be breached via credential compromise or insider threat. Once authenticated, an attacker can upload malicious content and potentially execute code, which would compromise confidentiality, integrity, and availability of the site and its data.

Generated by OpenCVE AI on April 21, 2026 at 01:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Alex Reservations plugin to the newest version that includes the fix for the arbitrary file upload flaw.
  • Add a whitelist of allowed file types in the upload logic or enforce server‑side MIME type validation so that only safe files can be uploaded.
  • Configure the web server to prevent execution of files in the upload directory, or restrict the /wp-json/srr/v1/app/upload/file endpoint to privileged users and ensure those accounts use multi‑factor authentication.

Generated by OpenCVE AI on April 21, 2026 at 01:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:42.863Z

Reserved: 2025-10-28T14:16:05.581Z

Link: CVE-2025-12399

cve-icon Vulnrichment

Updated: 2025-11-10T14:08:04.519Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T10:15:41.383

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses