CVE-2026-0658
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-02-02

Last updated on: 2026-02-02

Assigner: WPScan

Description
The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0658
EUVD
EUVD-2026-5124
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
five_star_restaurant_reservations five_star_restaurant_reservations to 2.7.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the WordPress plugin 'Five Star Restaurant Reservations' versions before 2.7.9. It lacks CSRF protections on some bulk action endpoints, allowing attackers to trick logged-in administrators into performing unwanted actions, such as deleting bookings without their consent. An attacker can craft a malicious webpage that submits a request to delete bookings when an admin visits it, causing bookings to be deleted without proper authorization. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to delete arbitrary bookings from your restaurant reservation system without your consent. If an administrator visits a malicious webpage, bookings can be deleted automatically, potentially causing loss of important reservation data, disruption of business operations, and administrative confusion. [1]

Detection Guidance

This vulnerability can be detected by monitoring for POST requests to the URL `/wp-admin/admin.php?page=rtb-bookings` with parameters `action=delete` and `action2=delete` targeting booking IDs. Network or web server logs can be inspected for such suspicious requests. Additionally, checking the installed version of the Five Star Restaurant Reservations plugin to see if it is prior to 2.7.9 can help identify vulnerable systems. Specific commands could include using grep or similar tools on web server logs, for example: `grep 'admin.php?page=rtb-bookings' /var/log/apache2/access.log | grep 'action=delete'` to find potentially malicious requests. [1]

Mitigation Strategies

The immediate mitigation step is to update the Five Star Restaurant Reservations WordPress plugin to version 2.7.9 or later, where the CSRF vulnerability has been fixed. Additionally, restricting access to the booking management URL to trusted administrators and implementing web application firewall (WAF) rules to block unauthorized POST requests to the affected endpoints can help reduce risk until the update is applied. [1]

Compliance Impact

The vulnerability allows attackers to perform unauthorized actions such as deleting bookings by exploiting a lack of CSRF protections in the plugin. This could lead to unauthorized data manipulation or loss of booking records.

Such unauthorized actions and potential data loss or manipulation may impact compliance with data protection regulations like GDPR or HIPAA, which require ensuring data integrity, confidentiality, and proper authorization controls.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0658. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart