Skip to main content

Five Star Restaurant Reservations CVE-2026-42670

| EUVDEUVD-2026-33908 HIGH
Missing Authorization (CWE-862)
2026-06-02 Patchstack GHSA-9jwp-gmrx-22rr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 16:22 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
Jun 02, 2026 - 10:41 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14.

AnalysisAI

Information disclosure in the Five Star Restaurant Reservations WordPress plugin (versions up to and including 2.7.14) allows unauthenticated remote attackers to bypass access control checks due to a missing authorization flaw (CWE-862). Patchstack characterizes the issue as a payment bypass vulnerability, meaning attackers can exercise restaurant reservation or payment-related functionality that should require proper authorization. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting it is not currently being mass-exploited.

Technical ContextAI

The affected product is the Five Star Restaurant Reservations plugin published by Etoile Web Design Incorporated for WordPress, identified by the CPE cpe:2.3:a:etoile_web_design_incorporated:five_star_restaurant_reservations:*. The underlying weakness is CWE-862 (Missing Authorization), which occurs when an application performs a sensitive action without verifying that the requesting user is authorized to perform it. In WordPress plugins this class of flaw typically arises from AJAX or REST endpoints that omit current_user_can() or capability checks, leaving privileged actions reachable by unauthenticated visitors. Patchstack's advisory describes the impact specifically as a payment bypass, suggesting an endpoint tied to reservation payment processing fails to validate the caller's authorization context.

RemediationAI

No vendor-released patched version is independently confirmed in the supplied data; the Patchstack advisory marks 2.7.14 as the last vulnerable version, so administrators should upgrade Five Star Restaurant Reservations to the next release published by Etoile Web Design above 2.7.14 once available and consult https://patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-14-payment-bypass-vulnerability for the fixed version reference. Until a patched build is installed, compensating controls include deactivating the plugin if reservations are not business-critical (trade-off: loss of booking functionality), restricting access to the plugin's AJAX/REST endpoints via a WAF rule or webserver ACL targeting wp-admin/admin-ajax.php actions and /wp-json/ routes associated with the plugin (trade-off: legitimate booking flows may break and require testing), and enabling Patchstack or an equivalent virtual-patching service that ships a rule for this CVE. Monitor WordPress access logs for anomalous POSTs to reservation/payment endpoints from unauthenticated sessions.

Share

CVE-2026-42670 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy