Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.9.
AnalysisAI
Rustaurius Five Star Restaurant Reservations through version 2.7.9 contains an authorization bypass vulnerability that allows unauthenticated attackers to modify reservation data and disrupt service availability by exploiting misconfigured access controls. The vulnerability requires no user interaction and can be triggered remotely, enabling attackers to tamper with restaurant operations without authentication. No patch is currently available for this vulnerability.
Technical ContextAI
The vulnerability stems from improper implementation of access control mechanisms in the Five Star Restaurant Reservations WordPress plugin (identified via CPE cpe:2.3:a:rustaurius:five_star_restaurant_reservations:*:*:*:*:*:*:*:*). The root cause is classified under CWE-862 (Missing Authorization), which describes scenarios where software fails to properly enforce that a user cannot perform a particular action. In WordPress plugins, this typically manifests as missing or inadequate capability checks (is_user_logged_in(), current_user_can()) on administrative or sensitive functions. The plugin's reservation management system likely exposes endpoints or functionalities that should be restricted to authenticated administrators or restaurant owners but instead are accessible to unauthenticated users or lower-privileged accounts due to misconfigured security levels.
RemediationAI
Immediately upgrade the Five Star Restaurant Reservations plugin to version 2.7.10 or later (assuming a patched version has been released beyond 2.7.9). Review the vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-9-broken-access-control-vulnerability?_s_id=cve) for specific patch details. As a temporary workaround pending an official patch, restrict direct access to the plugin's administrative endpoints using WordPress security plugins that enforce role-based access control, and review user roles and permissions to ensure only trusted administrators have access to reservation management functions. Additionally, audit access logs for unauthorized attempts to modify reservation data or access sensitive booking information.
The Five Star Restaurant Reservations WordPress plugin before 2.4.12 does not have authorisation when changing whether a
Missing authorization in the Five Star Restaurant Reservations WordPress plugin (version 2.7.19 and earlier) lets remote
Information disclosure in the Five Star Restaurant Reservations WordPress plugin (versions up to and including 2.7.14) a
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15643
GHSA-v96j-6v36-85g6