Description
Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.4.
Published: 2026-01-05
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via Incorrectly Configured Access Control
Action: Patch Now
AI Analysis

Impact

The vulnerability in Rustaurius Five Star Restaurant Reservations allows an attacker to manipulate user-controlled identifiers to access or modify reservation information that would normally be restricted. This results in an authorization bypass that can compromise confidentiality and integrity of reservation data, leading to potential exposure of customer details and manipulation of booking operations. The weakness is classified as CWE-639, a classic example of improper authorization controls.

Affected Systems

The issue affects the WordPress Five Star Restaurant Reservations plugin by Rustaurius, versions up to and including 2.7.4. WordPress sites running any of these plugin versions are vulnerable.

Risk and Exploitability

With a CVSS score of 8.6, the vulnerability is considered high severity. The EPSS score is under 1 %, indicating a low but non‑zero likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors involve sending crafted requests containing manipulated reservation identifiers to the plugin’s endpoints. While the description does not explicitly state prerequisites, it is inferred that an authenticated user with sufficient access to the reservation interface could exploit the flaw, and that no privilege escalation beyond that level is required.

Generated by OpenCVE AI on April 27, 2026 at 21:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Five Star Restaurant Reservations plugin to version 2.7.7 or newer.
  • If an upgrade is not possible immediately, restrict or disable access to the plugin’s reservation endpoints for untrusted or unauthenticated users through role‑based access control settings.
  • Review and tighten WordPress user roles and permissions, ensuring that only authorized personnel have access to reservation management features, and monitor access logs for suspicious activity.

Generated by OpenCVE AI on April 27, 2026 at 21:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8. Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.4.
Title WordPress Five Star Restaurant Reservations plugin <= 2.7.8 - Insecure Direct Object References (IDOR) vulnerability WordPress Five Star Restaurant Reservations plugin <= 2.7.4 - Insecure Direct Object References (IDOR) vulnerability
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 06 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Rustaurius
Rustaurius five Star Restaurant Reservations
Wordpress
Wordpress wordpress
Vendors & Products Rustaurius
Rustaurius five Star Restaurant Reservations
Wordpress
Wordpress wordpress

Mon, 05 Jan 2026 11:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8.
Title WordPress Five Star Restaurant Reservations plugin <= 2.7.8 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Rustaurius Five Star Restaurant Reservations
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:13:55.930Z

Reserved: 2025-12-15T10:01:07.754Z

Link: CVE-2025-68044

cve-icon Vulnrichment

Updated: 2026-01-06T16:24:35.612Z

cve-icon NVD

Status : Deferred

Published: 2026-01-05T11:17:41.827

Modified: 2026-04-23T15:35:52.250

Link: CVE-2025-68044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:00:16Z

Weaknesses