Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14.
AnalysisAI
Information disclosure in the Five Star Restaurant Reservations WordPress plugin (versions up to and including 2.7.14) allows unauthenticated remote attackers to bypass access control checks due to a missing authorization flaw (CWE-862). Patchstack characterizes the issue as a payment bypass vulnerability, meaning attackers can exercise restaurant reservation or payment-related functionality that should require proper authorization. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting it is not currently being mass-exploited.
Technical ContextAI
The affected product is the Five Star Restaurant Reservations plugin published by Etoile Web Design Incorporated for WordPress, identified by the CPE cpe:2.3:a:etoile_web_design_incorporated:five_star_restaurant_reservations:*. The underlying weakness is CWE-862 (Missing Authorization), which occurs when an application performs a sensitive action without verifying that the requesting user is authorized to perform it. In WordPress plugins this class of flaw typically arises from AJAX or REST endpoints that omit current_user_can() or capability checks, leaving privileged actions reachable by unauthenticated visitors. Patchstack's advisory describes the impact specifically as a payment bypass, suggesting an endpoint tied to reservation payment processing fails to validate the caller's authorization context.
RemediationAI
No vendor-released patched version is independently confirmed in the supplied data; the Patchstack advisory marks 2.7.14 as the last vulnerable version, so administrators should upgrade Five Star Restaurant Reservations to the next release published by Etoile Web Design above 2.7.14 once available and consult https://patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-14-payment-bypass-vulnerability for the fixed version reference. Until a patched build is installed, compensating controls include deactivating the plugin if reservations are not business-critical (trade-off: loss of booking functionality), restricting access to the plugin's AJAX/REST endpoints via a WAF rule or webserver ACL targeting wp-admin/admin-ajax.php actions and /wp-json/ routes associated with the plugin (trade-off: legitimate booking flows may break and require testing), and enabling Patchstack or an equivalent virtual-patching service that ships a rule for this CVE. Monitor WordPress access logs for anomalous POSTs to reservation/payment endpoints from unauthenticated sessions.
The Five Star Restaurant Reservations WordPress plugin before 2.4.12 does not have authorisation when changing whether a
Missing authorization in the Five Star Restaurant Reservations WordPress plugin (version 2.7.19 and earlier) lets remote
Rustaurius Five Star Restaurant Reservations through version 2.7.9 contains an authorization bypass vulnerability that a
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33908
GHSA-9jwp-gmrx-22rr