CVE-2026-11802 in FoodBook Lite Plugininfo

Summary

by MITRE • 07/14/2026

The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration() function, accessible via the wp_ajax_nopriv_registration_action AJAX action, lacks any nonce verification or capability check, and does not check the WordPress users_can_register option before calling wp_insert_user(). This makes it possible for unauthenticated attackers to create new user accounts with the 'customer' role and receive authentication cookies, even when the site administrator has explicitly disabled user registration.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in FoodBook Lite plugin represents a critical authorization flaw that undermines fundamental WordPress security mechanisms. This issue affects all versions up to and including 1.5.6 and stems from improper access control implementation within the plugin's AJAX handling system. The registration function exposed through wp_ajax_nopriv_registration_action creates a direct pathway for unauthorized account creation without proper validation or authentication checks, fundamentally violating core security principles that should prevent such unrestricted user provisioning.

The technical implementation flaw lies in the complete absence of nonce verification and capability checks within the registration endpoint. When an attacker sends a request to the wp_ajax_nopriv_registration_action handler, the system processes the registration request without validating the authenticity of the request or verifying whether the requester has proper authorization rights. Additionally, the plugin fails to respect WordPress's built-in user registration settings by not checking the users_can_register option before executing wp_insert_user(). This oversight allows attackers to bypass site administrator preferences and create accounts regardless of registration policies.

The operational impact of this vulnerability extends beyond simple account creation as it enables attackers to establish persistent access points within the system. Unauthenticated users can register with the customer role, gaining access to functionality that may include order placement, menu browsing, and potentially sensitive data exposure depending on the plugin's feature set. The authentication cookies issued during registration provide attackers with legitimate session tokens that could persist until manually revoked or expire naturally. This capability transforms a simple denial of service scenario into a potential foothold for further exploitation and privilege escalation attacks.

Security researchers categorize this vulnerability under CWE-863, which addresses "Incorrect Authorization" conditions where the system fails to properly verify whether an actor is authorized to perform requested operations. The attack pattern aligns with ATT&CK technique T1078.004, "Valid Accounts: Cloud Accounts," as attackers can leverage legitimate account creation mechanisms to establish persistent access. Mitigation strategies should include immediate plugin updates to versions that implement proper nonce verification and capability checks, along with verification of WordPress core settings related to user registration. Administrators should also consider implementing additional security measures such as rate limiting for registration endpoints and monitoring for unusual account creation patterns. The vulnerability demonstrates the importance of defensive programming practices where all public-facing interfaces must validate input, verify authorization, and respect system-level configuration parameters.

Responsible

Wordfence

Reservation

06/09/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!