[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBIEaFrqo1h4iTM1pHaL9MNrE6p4qZekKL957eYWKMmM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-54835","five-star-restaurant-menu-and-food-ordering-missing-authorization","Five Star Restaurant Menu and Food Ordering \u003C= 2.5.2 - Missing Authorization","The Five Star Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","food-and-drink-menu",null,"\u003C=2.5.2","2.5.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-18 00:00:00","2026-06-23 15:53:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F391b8d9e-c57c-44d8-a060-c1b94a191522?source=api-prod",6,[22,23,24,25,26,27,28,29],"food-and-drink-menu.php","includes\u002Fclass-order-item.php","includes\u002Fclass-order-payments.php","lib\u002Fstripe\u002Flib\u002FCollection.php","lib\u002Fstripe\u002Flib\u002FHttpClient\u002FCurlClient.php","lib\u002Fstripe\u002Flib\u002FStripeObject.php","lib\u002Fstripe\u002Flib\u002FUtil\u002FCaseInsensitiveArray.php","lib\u002Fstripe\u002Flib\u002FUtil\u002FSet.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-54835 (Placeholder ID)\n\n## 1. Vulnerability Summary\nThe **Five Star Restaurant Menu and Food Ordering** plugin (versions \u003C= 2.5.2) contains a **Missing Authorization** vulnerability. The vulnerability resides in the handling of order status updates, specifically within the Stripe payment completion logic or administrative order actions processed via `admin_init`. \n\nDue to the lack of capability checks (`current_user_can()`) and insufficient nonce validation on specific AJAX handlers or initialization hooks, an unauthenticated attacker can manipulate the status of restaurant orders (e.g., marking a pending order as paid\u002Freceived).\n\n- **Vulnerable File:** `includes\u002Fclass-order-payments.php` (and potentially `includes\u002Fclass-ajax.php`)\n- **Vulnerable Function:** `stripe_sca_succeed` (hooked to `wp_ajax_nopriv_fdm_stripe_payment_succeed`) or an `admin_init` handler in `fdmAdminOrders`.\n- **CVSS Impact:** CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N (Low Integrity Impact).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `fdm_stripe_payment_succeed`\n- **Authentication:** None required (Targeting `wp","The Five Star Restaurant Menu and Food Ordering plugin is vulnerable to unauthorized order status manipulation due to insufficient verification in the Stripe payment completion handler. Unauthenticated attackers can mark pending orders as paid by sending a forged AJAX request that bypasses actual Stripe transaction validation.","\u002F\u002F includes\u002Fclass-order-payments.php\n\npublic function stripe_sca_succeed() {\n    global $fdm_controller;\n\n    if ( ! isset( $_POST['order_id'] ) ) { return; }\n\n    $order = new fdmOrderItem();\n    $order->load( intval( $_POST['order_id'] ) );\n\n    if ( $this->valid_payment( $order ) ) {\n\n        $order->post_status = 'fdm_order_received';\n\n        $order->payment_amount = $fdm_controller->settings->get_setting( 'ordering-currency' ) != 'JPY' ? intval( $_POST['payment_amount'] ) \u002F 100 : intval( $_POST['payment_amount'] );\n\n        $order->receipt_id = sanitize_text_field( $_POST['payment_id'] );\n\n        \u002F\u002F Not needed anymore\n        unset( $order->stripe_payment_intent_id );\n\n        $order->save_order_post();\n    }\n\n    die();\n}\n\n---\n\n\u002F\u002F includes\u002Fclass-order-payments.php\n\npublic function valid_payment( $order ) {\n\n    return sanitize_text_field( $_POST['payment_id'] ) == $order->stripe_payment_intent_id;\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffood-and-drink-menu\u002F2.5.2\u002Fincludes\u002Fclass-order-payments.php\t2025-04-29 21:40:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffood-and-drink-menu\u002F2.5.3\u002Fincludes\u002Fclass-order-payments.php\t2026-06-03 13:44:50.000000000 +0000\n@@ -358,9 +358,16 @@\n \n         \t\t$order->post_status = 'fdm_order_received';\n \n-        \t\t$order->payment_amount = $fdm_controller->settings->get_setting( 'ordering-currency' ) != 'JPY' ? intval( $_POST['payment_amount'] ) \u002F 100 : intval( $_POST['payment_amount'] );\n+       \t\t\t\u002F\u002F load the stripe libraries\n+\t\t\t\trequire_once( FDM_PLUGIN_DIR . '\u002Flib\u002Fstripe\u002Finit.php' );\n \n-        \t\t$order->receipt_id = sanitize_text_field( $_POST['payment_id'] );\n+\t\t\t\t\\Stripe\\Stripe::setApiKey( $this->get_secret() );\n+\n+\t\t\t\t$intent = \\Stripe\\PaymentIntent::retrieve( $order->stripe_payment_intent_id );\n+\n+\t\t\t\t$order->payment_amount = $fdm_controller->settings->get_setting( 'ordering-currency' ) != 'JPY' ? $intent->amount \u002F 100 : $intent->amount;\n+\t\t\t\t\n+\t\t\t\t$order->receipt_id = $intent->id;\n \n         \t\t\u002F\u002F Not needed anymore\n         \t\tunset( $order->stripe_payment_intent_id );\n@@ -394,13 +401,41 @@\n   \t}\n \n \t\u002F**\n-\t * Validate the payment success request by verifing the payment_intent ID\n+\t * Validate the payment success request by verifying the payment_intent ID\n \t * \n \t * @return bool true on valid else false\n \t *\u002F\n \tpublic function valid_payment( $order ) {\n+\t\tglobal $fdm_controller;\n+\n+\t\tif ( empty( $order->stripe_payment_intent_id ) ) { return false; }\n+\n+\t\t$posted_id = sanitize_text_field( $_POST['payment_id'] ?? '' );\n+\t\tif ( $posted_id !== $order->stripe_payment_intent_id ) { return false; }\n+\n+\t\ttry {\n+\n+\t\t\t\u002F\u002F load the stripe libraries\n+\t\t\trequire_once( FDM_PLUGIN_DIR . '\u002Flib\u002Fstripe\u002Finit.php' );\n+\n+\t\t\t\\Stripe\\Stripe::setApiKey( $this->get_secret() );\n+\n+\t\t\t$intent = \\Stripe\\PaymentIntent::retrieve( $order->stripe_payment_intent_id );\n+\n+\t\t\t$is_hold = $fdm_controller->settings->get_setting( 'fdm-stripe-hold' );\n+\t\t\t$valid_status = $is_hold ? 'requires_capture' : 'succeeded';\n+\n+\t\t\treturn $intent->status === $valid_status;\n+\t\t} \n+\t\tcatch ( Exception $ex ) {\n+\n+\t\t\tif ( defined('WP_DEBUG') && WP_DEBUG ) {\n+\n+\t\t\t\terror_log( sprintf( __( 'Five Star FDM Stripe valid_payment error: %s', 'food-and-drink-menu' ), $ex->getMessage() ) );\n+\t\t\t}\n \n-\t\treturn sanitize_text_field( $_POST['payment_id'] ) == $order->stripe_payment_intent_id;\n+\t\t\treturn false;\n+\t\t}\n   \t}","1. An attacker identifies a pending order ID (which can often be enumerated or obtained after a legitimate checkout attempt is halted).\n2. The attacker identifies the `stripe_payment_intent_id` associated with that order. In many Stripe implementations, this ID is sent to the client-side to initialize the payment element.\n3. The attacker crafts a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `fdm_stripe_payment_succeed`.\n4. The payload includes the target `order_id`, the matching `payment_id` (the intent ID), and a `payment_amount` (e.g., 0).\n5. Because version 2.5.2 only checks if the `payment_id` in the POST request matches the `stripe_payment_intent_id` stored in the database, the check passes without communicating with Stripe.\n6. The plugin updates the order post status to 'fdm_order_received', effectively marking the order as paid in the restaurant's system without any money being transferred.","gemini-3-flash-preview","2026-06-25 21:19:08","2026-06-25 21:20:51",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.5.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffood-and-drink-menu\u002Ftags\u002F2.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffood-and-drink-menu.2.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffood-and-drink-menu\u002Ftags\u002F2.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffood-and-drink-menu.2.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffood-and-drink-menu\u002Ftags"]