Skip to main content

Rustaurius Five Star Restaurant Reservations CVE-2025-68601

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-24 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Severity Changed
Apr 23, 2026 - 15:43 NVD
HIGH MEDIUM
CVSS changed
Apr 23, 2026 - 15:43 NVD
8.8 (HIGH) 5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
HIGH 8.8

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Cross Site Request Forgery.This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.8.

AnalysisAI

Cross-Site Request Forgery (CSRF) in Five Star Restaurant Reservations WordPress plugin versions ≤2.7.8 enables unauthenticated attackers to perform unauthorized administrative actions through social engineering. With CVSS 8.8 (High), the vulnerability requires no privileges and low attack complexity, though user interaction is necessary. EPSS probability is minimal (0.02%, 6th percentile), indicating low observed exploitation likelihood despite the high CVSS score. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

Technical ContextAI

Cross-Site Request Forgery (CWE-352) is a web security vulnerability that forces authenticated users to execute unwanted actions on web applications where they are currently authenticated. The Five Star Restaurant Reservations WordPress plugin (restaurant-reservations) lacks proper CSRF token validation on state-changing operations through version 2.7.8. WordPress plugins commonly implement CSRF protection using nonce tokens (wp_nonce_field/wp_verify_nonce functions). Absence or improper implementation of these protections allows attackers to craft malicious requests that exploit the victim's authenticated session. In restaurant reservation systems, CSRF vulnerabilities typically affect administrative functions such as booking modifications, settings changes, customer data manipulation, or plugin configuration alterations.

Affected ProductsAI

The vulnerability affects the Five Star Restaurant Reservations plugin (restaurant-reservations) for WordPress, impacting all versions from the earliest release through version 2.7.8 inclusive. This plugin is developed by Rustaurius and provides table booking and reservation management functionality for restaurant websites. The vulnerability was reported through Patchstack's audit process (audit@patchstack.com). Site administrators running any version up to and including 2.7.8 should consider their installations vulnerable to CSRF attacks targeting administrative functions. The Patchstack database entry provides additional technical details at https://patchstack.com/database/Wordpress/Plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability.

RemediationAI

Site administrators should upgrade the Five Star Restaurant Reservations plugin to the latest available version beyond 2.7.8 as vendor-released patches typically address reported CSRF vulnerabilities through proper nonce implementation. Verify the current plugin version in the WordPress admin dashboard under Plugins and update through the standard WordPress update mechanism. Until patching is completed, implement defense-in-depth measures including restricting administrative access to trusted IP addresses via .htaccess or firewall rules, enforcing security awareness training for administrative users about not clicking untrusted links while authenticated, and reviewing WordPress audit logs for suspicious reservation or configuration changes. Consider temporarily restricting plugin functionality to essential operations only if administrative actions can be deferred. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability for specific remediation guidance and verification steps.

Share

CVE-2025-68601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy