CVE-2026-0658
BaseFortify
Publication date: 2026-02-02
Last updated on: 2026-02-02
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| five_star_restaurant_reservations | five_star_restaurant_reservations | to 2.7.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the WordPress plugin 'Five Star Restaurant Reservations' versions before 2.7.9. It lacks CSRF protections on some bulk action endpoints, allowing attackers to trick logged-in administrators into performing unwanted actions, such as deleting bookings without their consent. An attacker can craft a malicious webpage that submits a request to delete bookings when an admin visits it, causing bookings to be deleted without proper authorization. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to delete arbitrary bookings from your restaurant reservation system without your consent. If an administrator visits a malicious webpage, bookings can be deleted automatically, potentially causing loss of important reservation data, disruption of business operations, and administrative confusion. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for POST requests to the URL `/wp-admin/admin.php?page=rtb-bookings` with parameters `action=delete` and `action2=delete` targeting booking IDs. Network or web server logs can be inspected for such suspicious requests. Additionally, checking the installed version of the Five Star Restaurant Reservations plugin to see if it is prior to 2.7.9 can help identify vulnerable systems. Specific commands could include using grep or similar tools on web server logs, for example: `grep 'admin.php?page=rtb-bookings' /var/log/apache2/access.log | grep 'action=delete'` to find potentially malicious requests. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Five Star Restaurant Reservations WordPress plugin to version 2.7.9 or later, where the CSRF vulnerability has been fixed. Additionally, restricting access to the booking management URL to trusted administrators and implementing web application firewall (WAF) rules to block unauthorized POST requests to the affected endpoints can help reduce risk until the update is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform unauthorized actions such as deleting bookings by exploiting a lack of CSRF protections in the plugin. This could lead to unauthorized data manipulation or loss of booking records.
Such unauthorized actions and potential data loss or manipulation may impact compliance with data protection regulations like GDPR or HIPAA, which require ensuring data integrity, confidentiality, and proper authorization controls.
However, the provided information does not explicitly state the direct impact on compliance with these standards.