Missing authorization vulnerability in the Rustaurius Five Star Restaurant Reservations WordPress plugin allows an attacker to bypass normal access controls and potentially perform privileged operations. The flaw is based on incorrectly configured access control security levels, meaning that any user—logged in or not—could attempt to exploit privileged endpoints, leading to unauthorized modifications or data exposure. This weakness is identified as CWE-862 and may impact confidentiality and integrity of reservation data.

The vulnerability is present in the Five Star Restaurant Reservations plugin version 2.6.29 and prior, specifically the WordPress plugin distributed by Rustaurius. Administrators using any WordPress installation with this plugin installed and not updated beyond 2.6.29 are affected. No additional vendors or products are listed.

The CVSS score is 4.9, indicating moderate severity, and the EPSS score is less than 1 %, implying that current exploitation probability is low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker interacting with the plugin through its exposed API endpoints or administrative interfaces, as misconfigured security levels allow the attacker to elevate privileges. Remediating the issue requires applying a patched version of the plugin.