Description
The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.
Published: 2026-02-02
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unwanted deletion of restaurant reservations via CSRF
Action: Patch
AI Analysis

Impact

The Five Star Restaurant Reservations WordPress plugin before version 2.7.9 lacks cross‑site request forgery protection for certain bulk booking actions, which can allow an attacker to manipulate a logged‑in administrator into deleting reservations. This weakness is an example of CWE‑352, where an unauthorized user forces a legitimate user to perform an unintended action without confirmation of intent.

Affected Systems

The vulnerability affects the Five Star Restaurant Reservations plugin for WordPress in all versions earlier than 2.7.9. Administrators using these versions are at risk of having their booking data erased via crafted requests sent from a malicious site.

Risk and Exploitability

The vulnerability has a moderate CVSS score of 4.3 and a very low exploitation probability (EPSS < 1 %). It is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to coerce a legitimate administrator to process a malicious request, typically by embedding a CSRF link in a fraud or phishing page. Because the exploit requires a logged‑in admin session, its likelihood is limited to scenarios where administrators are unaware of the attacker’s presence, making this a moderate but opportunistic risk.

Generated by OpenCVE AI on April 18, 2026 at 00:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Five Star Restaurant Reservations plugin to version 2.7.9 or later.
  • Require users to log out or use two‑factor authentication after administrative operations to reduce the window for a CSRF attack.
  • Review WordPress admin logs for unexpected bulk deletion events and investigate anomalous activity.

Generated by OpenCVE AI on April 18, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 02 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.
Title Five Star Restaurant Reservations < 2.7.9 - Arbitrary Bookings Deletion via CSRF
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-02-02T14:53:22.633Z

Reserved: 2026-01-06T19:46:02.313Z

Link: CVE-2026-0658

cve-icon Vulnrichment

Updated: 2026-02-02T14:52:41.853Z

cve-icon NVD

Status : Deferred

Published: 2026-02-02T07:16:44.803

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses