Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network-reachable handler with missing authorization gives AV:N/AC:L/PR:N/UI:N; impact is data modification only, so I:H with C:N and A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Five Star Restaurant Reservations <= 2.7.19 versions.
AnalysisAI
Missing authorization in the Five Star Restaurant Reservations WordPress plugin (version 2.7.19 and earlier) lets remote unauthenticated attackers invoke protected plugin functionality and modify data without holding any account, per the CVSS PR:N vector. The flaw is a broken access control / missing capability check (CWE-862) reported by Patchstack, with a CVSS 3.1 base score of 7.5 driven entirely by integrity impact (C:N/I:H/A:N). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that a target WordPress site has the Five Star Restaurant Reservations plugin installed and active at version 2.7.19 or earlier, with its vulnerable handler network-reachable (the default for a public WordPress site). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderately serious but not emergency-grade. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates WordPress sites running the Five Star Restaurant Reservations plugin and sends a crafted request directly to the plugin's unprotected handler (e.g., an admin-ajax or REST action), without logging in. Because the handler lacks a capability/nonce check, the request succeeds and alters reservation data or plugin state. … |
| Remediation | Upgrade the plugin to the latest available release above 2.7.19 from the WordPress plugin repository; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-19-broken-access-control-vulnerability) for the confirmed fixed version, as no exact patched version was supplied in the input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Disable the Five Star Restaurant Reservations plugin on all WordPress instances; audit database logs for unauthorized reservation modifications since last month. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The Five Star Restaurant Reservations WordPress plugin before 2.4.12 does not have authorisation when changing whether a
Information disclosure in the Five Star Restaurant Reservations WordPress plugin (versions up to and including 2.7.14) a
Rustaurius Five Star Restaurant Reservations through version 2.7.9 contains an authorization bypass vulnerability that a
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39367
GHSA-x239-8vvh-363p