CVE-2023-34017 in Five Star Restaurant Reservations Plugininfo

Summary

by MITRE • 07/25/2023

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FiveStarPlugins Five Star Restaurant Reservations plugin <= 2.6.7 versions.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 06/13/2026

This vulnerability represents an unauthorized reflected cross-site scripting flaw that affects the FiveStarPlugins Five Star Restaurant Reservations WordPress plugin version 2.6.7 and earlier. The issue stems from insufficient input validation and output sanitization within the plugin's handling of user-supplied data, specifically in parameters that are reflected back to users without proper encoding or filtering mechanisms. The vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The reflected nature of this vulnerability means that the malicious script is embedded in a request and then reflected back by the server to the victim's browser, making it particularly dangerous as it can be delivered through various attack vectors including email links, malicious advertisements, or compromised websites. The vulnerability is classified under CWE-79 as a failure to sanitize user input before reflecting it back to users, which directly violates the principle of input validation and output encoding. From an operational perspective, this vulnerability poses significant risk to restaurant reservation systems as it could allow attackers to gain unauthorized access to reservation data, manipulate booking information, or redirect users to malicious sites. The impact is amplified in environments where the plugin is widely used and where users may have administrative privileges or access to sensitive reservation data. The vulnerability aligns with ATT&CK technique T1566.001 which involves social engineering through malicious links, and T1059.001 which covers command and scripting interpreter execution through web-based attacks. Organizations using this plugin version should immediately implement mitigations including input validation, output encoding, and proper parameter sanitization. The most effective immediate fix involves upgrading to a patched version of the plugin where the vulnerability has been addressed through proper input sanitization and output encoding mechanisms. Additionally, implementing web application firewalls, content security policies, and regular security audits can help prevent exploitation attempts. Security monitoring should focus on detecting suspicious URL parameters and unusual traffic patterns that may indicate attempted exploitation of this vulnerability, particularly around reservation-related endpoints and user input fields.

Reservation

05/25/2023

Disclosure

07/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00402

KEV

no

Activities

very low

Sector

Hospital

Sources

Interested in the pricing of exploits?

See the underground prices here!