CVE-2026-0658 in Five Star Restaurant Reservations Plugin
Summary
by MITRE • 02/02/2026
The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2026
The Five Star Restaurant Reservations WordPress plugin version 2.7.8 and earlier contains a critical cross-site request forgery vulnerability that exposes administrators to unauthorized actions. This flaw exists within the plugin's bulk action handling mechanisms where proper CSRF token validation is absent, creating a significant security gap that can be exploited by malicious actors. The vulnerability specifically affects the plugin's administrative interface where bulk operations are performed, making it particularly dangerous for restaurant reservation management systems that handle sensitive customer data.
The technical implementation of this vulnerability stems from the absence of anti-CSRF tokens in the plugin's administrative bulk action endpoints. When administrators perform bulk operations such as deleting bookings, the plugin fails to validate that the request originates from a legitimate administrative session rather than a maliciously crafted request. This omission allows attackers to craft specially designed web pages or emails that, when visited by an authenticated administrator, automatically submit requests to the plugin's administrative endpoints without the administrator's knowledge or consent. The vulnerability operates at the application layer and requires no special privileges beyond having an authenticated session with administrative privileges.
The operational impact of this vulnerability extends beyond simple data manipulation to potentially compromise entire reservation systems and customer information. Attackers could delete critical booking records, disrupt reservation services, or potentially cause denial of service conditions within the restaurant management system. The implications are particularly severe given that restaurant reservation systems often contain sensitive personal information including customer names, contact details, and reservation history. This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications, and represents a clear violation of secure coding practices that should prevent unauthorized administrative actions.
Mitigation strategies for this vulnerability require immediate plugin updates to version 2.7.9 or later where CSRF protections have been implemented. Administrators should also implement additional security measures including regular security audits, monitoring of administrative actions, and ensuring that only trusted users have administrative access to the WordPress installation. The implementation of additional security layers such as web application firewalls and two-factor authentication can provide defense-in-depth protection against exploitation attempts. Organizations should also consider implementing automated patch management systems to ensure timely deployment of security updates across all WordPress plugins and themes. This vulnerability demonstrates the importance of CSRF protection in administrative interfaces and highlights the necessity of following established security frameworks like those recommended by the OWASP Top Ten project and NIST cybersecurity guidelines.