CVE-2025-68601
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Cross Site Request Forgery.This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.8.
Analysis
Cross-Site Request Forgery (CSRF) in Five Star Restaurant Reservations WordPress plugin versions ≤2.7.8 enables unauthenticated attackers to perform unauthorized administrative actions through social engineering. With CVSS 8.8 (High), the vulnerability requires no privileges and low attack complexity, though user interaction is necessary. EPSS probability is minimal (0.02%, 6th percentile), indicating low observed exploitation likelihood despite the high CVSS score. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.
Technical Context
Cross-Site Request Forgery (CWE-352) is a web security vulnerability that forces authenticated users to execute unwanted actions on web applications where they are currently authenticated. The Five Star Restaurant Reservations WordPress plugin (restaurant-reservations) lacks proper CSRF token validation on state-changing operations through version 2.7.8. WordPress plugins commonly implement CSRF protection using nonce tokens (wp_nonce_field/wp_verify_nonce functions). Absence or improper implementation of these protections allows attackers to craft malicious requests that exploit the victim's authenticated session. In restaurant reservation systems, CSRF vulnerabilities typically affect administrative functions such as booking modifications, settings changes, customer data manipulation, or plugin configuration alterations.
Affected Products
The vulnerability affects the Five Star Restaurant Reservations plugin (restaurant-reservations) for WordPress, impacting all versions from the earliest release through version 2.7.8 inclusive. This plugin is developed by Rustaurius and provides table booking and reservation management functionality for restaurant websites. The vulnerability was reported through Patchstack's audit process ([email protected]). Site administrators running any version up to and including 2.7.8 should consider their installations vulnerable to CSRF attacks targeting administrative functions. The Patchstack database entry provides additional technical details at https://patchstack.com/database/Wordpress/Plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability.
Remediation
Site administrators should upgrade the Five Star Restaurant Reservations plugin to the latest available version beyond 2.7.8 as vendor-released patches typically address reported CSRF vulnerabilities through proper nonce implementation. Verify the current plugin version in the WordPress admin dashboard under Plugins and update through the standard WordPress update mechanism. Until patching is completed, implement defense-in-depth measures including restricting administrative access to trusted IP addresses via .htaccess or firewall rules, enforcing security awareness training for administrative users about not clicking untrusted links while authenticated, and reviewing WordPress audit logs for suspicious reservation or configuration changes. Consider temporarily restricting plugin functionality to essential operations only if administrative actions can be deferred. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability for specific remediation guidance and verification steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today