Skip to main content

FoodBook Lite EUVDEUVD-2026-43610

| CVE-2026-11802 MEDIUM
Missing Authorization (CWE-862)
2026-07-14 Wordfence GHSA-rg6f-xv76-vf59
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Publicly accessible unauthenticated AJAX endpoint with no complexity; only limited integrity impact (account creation at customer role); no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 02:31 vuln.today
CVE Published
Jul 14, 2026 - 01:30 nvd
MEDIUM 5.3

DescriptionCVE.org

The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration() function, accessible via the wp_ajax_nopriv_registration_action AJAX action, lacks any nonce verification or capability check, and does not check the WordPress users_can_register option before calling wp_insert_user(). This makes it possible for unauthenticated attackers to create new user accounts with the 'customer' role and receive authentication cookies, even when the site administrator has explicitly disabled user registration.

AnalysisAI

Unauthorized account self-registration in the FoodBook Lite WordPress plugin through version 1.5.6 allows unauthenticated remote attackers to create 'customer'-role accounts and obtain valid WordPress authentication cookies, even when the site administrator has explicitly disabled user registration. The flaw exists because the plugin's registration() function is registered on the publicly accessible wp_ajax_nopriv_registration_action AJAX hook and calls wp_insert_user() without performing nonce verification, capability checks, or consulting the users_can_register site option. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with FoodBook Lite ≤1.5.6 active
Delivery
Send unauthenticated POST to wp-admin/admin-ajax.php with action=registration_action
Exploit
Plugin invokes wp_insert_user() without nonce or capability check
Execution
New 'customer' account created, bypassing users_can_register=0
Persist
Receive WordPress authentication cookies
Impact
Authenticate and access customer-gated site functionality

Vulnerability AssessmentAI

Exploitation The FoodBook Lite - Online Food Ordering System plugin by Themelooks must be installed and active on the WordPress site running version 1.5.6 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 5.3 Medium with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N accurately reflects the technical exploitation baseline: the endpoint is network-accessible, requires no authentication, no complexity, and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted unauthenticated HTTP POST request to https://target-site.com/wp-admin/admin-ajax.php with the body action=registration_action and desired username, email, and password parameters; the plugin's registration() function processes the request and calls wp_insert_user() without any authorization check, creating a new 'customer' account and returning authentication cookies in the response. The attacker then authenticates with those cookies and accesses any WordPress functionality or WooCommerce-adjacent data gated behind the customer role, potentially including order histories or stored PII. …
Remediation Upgrade FoodBook Lite to version 1.5.7 or later; this release introduces the missing nonce verification, capability check, and users_can_register option check in class-components-ajax.php and helper-functions.php, as confirmed by Trac diffs at the plugin's repository for the 1.5.7 tag. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43610 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy