Skip to main content

Foodbook Lite Online Food Ordering System

1 CVEs product

Monthly

CVE-2026-11802 MEDIUM This Month

Unauthorized account self-registration in the FoodBook Lite WordPress plugin through version 1.5.6 allows unauthenticated remote attackers to create 'customer'-role accounts and obtain valid WordPress authentication cookies, even when the site administrator has explicitly disabled user registration. The flaw exists because the plugin's registration() function is registered on the publicly accessible wp_ajax_nopriv_registration_action AJAX hook and calls wp_insert_user() without performing nonce verification, capability checks, or consulting the users_can_register site option. No public exploit has been identified at time of analysis and no KEV listing exists; Wordfence reported the issue with a confirmed fix in version 1.5.7.

Authentication Bypass WordPress Foodbook Lite Online Food Ordering System
NVD
CVSS 3.1
5.3
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthorized account self-registration in the FoodBook Lite WordPress plugin through version 1.5.6 allows unauthenticated remote attackers to create 'customer'-role accounts and obtain valid WordPress authentication cookies, even when the site administrator has explicitly disabled user registration. The flaw exists because the plugin's registration() function is registered on the publicly accessible wp_ajax_nopriv_registration_action AJAX hook and calls wp_insert_user() without performing nonce verification, capability checks, or consulting the users_can_register site option. No public exploit has been identified at time of analysis and no KEV listing exists; Wordfence reported the issue with a confirmed fix in version 1.5.7.

Authentication Bypass WordPress Foodbook Lite Online Food Ordering System
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy