CVE-2026-0658

Vulnerability

Overview

The Five Star Restaurant Reservations WordPress plugin, versions prior to 2.7.9, fails to include Cross-Site Request Forgery (CSRF) checks in certain bulk actions. This absence of proper nonce validation means that any authenticated admin who visits a malicious page or clicks a crafted link can unwittingly trigger those actions without their consent [1].

Exploitation

Method

An attacker can exploit this by crafting a request that deletes bookings, then luring an administrator into triggering it—for example, via a disguised link in an email or a malicious website. Since the plugin does not verify that the request originated from the intended admin interface, any logged-in admin making the request will inadvertently execute the attacker's command [1]. No special privileges beyond the admin's existing session are required.

Impact

A successful CSRF attack could allow an attacker to arbitrarily delete existing restaurant reservations, leading to data loss and disruption of service. This could harm the business's operations and reputation, as well as confuse or inconvenience customers [1].

Mitigation

The vulnerability is fixed in version 2.7.9. Users are strongly advised to update the plugin immediately. No workarounds are provided, but ensuring that the plugin is always updated to the latest version is the recommended mitigation [1].