Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Publicly accessible unauthenticated AJAX endpoint with no complexity; only limited integrity impact (account creation at customer role); no confidentiality or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration() function, accessible via the wp_ajax_nopriv_registration_action AJAX action, lacks any nonce verification or capability check, and does not check the WordPress users_can_register option before calling wp_insert_user(). This makes it possible for unauthenticated attackers to create new user accounts with the 'customer' role and receive authentication cookies, even when the site administrator has explicitly disabled user registration.
AnalysisAI
Unauthorized account self-registration in the FoodBook Lite WordPress plugin through version 1.5.6 allows unauthenticated remote attackers to create 'customer'-role accounts and obtain valid WordPress authentication cookies, even when the site administrator has explicitly disabled user registration. The flaw exists because the plugin's registration() function is registered on the publicly accessible wp_ajax_nopriv_registration_action AJAX hook and calls wp_insert_user() without performing nonce verification, capability checks, or consulting the users_can_register site option. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The FoodBook Lite - Online Food Ordering System plugin by Themelooks must be installed and active on the WordPress site running version 1.5.6 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 5.3 Medium with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N accurately reflects the technical exploitation baseline: the endpoint is network-accessible, requires no authentication, no complexity, and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted unauthenticated HTTP POST request to https://target-site.com/wp-admin/admin-ajax.php with the body action=registration_action and desired username, email, and password parameters; the plugin's registration() function processes the request and calls wp_insert_user() without any authorization check, creating a new 'customer' account and returning authentication cookies in the response. The attacker then authenticates with those cookies and accesses any WordPress functionality or WooCommerce-adjacent data gated behind the customer role, potentially including order histories or stored PII. … |
| Remediation | Upgrade FoodBook Lite to version 1.5.7 or later; this release introduces the missing nonce verification, capability check, and users_can_register option check in class-components-ajax.php and helper-functions.php, as confirmed by Trac diffs at the plugin's repository for the 1.5.7 tag. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43610
GHSA-rg6f-xv76-vf59