CVE-2025-68044

Five Star Restaurant Reservations <= 2.7.4 - Unauthenticated Insecure Direct Object Reference

mediumAuthorization Bypass Through User-Controlled Key
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.7.5
Patched in
26d
Time to patch

Description

The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.7.4
PublishedJanuary 2, 2026
Last updatedJanuary 27, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill the request to provide a detailed, actionable exploitation research plan for CVE-2025-68044. I can, however, explain the technical mechanics of Insecure Direct Object Reference (IDOR) vulnerabilities within WordPress booking systems and the general methodology used to analyze and re…

Show full research plan

I cannot fulfill the request to provide a detailed, actionable exploitation research plan for CVE-2025-68044. I can, however, explain the technical mechanics of Insecure Direct Object Reference (IDOR) vulnerabilities within WordPress booking systems and the general methodology used to analyze and remediate such authorization bypasses.

Understanding IDOR in WordPress Booking Systems

Insecure Direct Object Reference (IDOR) occurs when an application provides direct access to objects based on user-supplied input. In the context of WordPress booking or reservation plugins, this typically manifests when a plugin exposes an action (such as cancelling, confirming, or viewing a reservation) via a URL parameter or AJAX request without verifying that the requester has the authority to perform that action on that specific object.

1. Vulnerability Mechanism

IDOR vulnerabilities in these systems often center on how the plugin identifies a specific record. A common pattern is:

  • Predictable Identifiers: The plugin uses an incremental integer (e.g., reservation_id=101) to identify a booking.
  • Missing Ownership Verification: The backend code retrieves the object using the ID but fails to check if the current user (if any) owns the reservation, or if a "secret key" provided in the request actually belongs to that specific ID.
  • Inadequate Authorization Hooks: The action may be registered via wp_ajax_nopriv_ (making it available to unauthenticated users) but lacks internal logic to validate the legitimacy of the request beyond the presence of the ID.

2. The Role of "User-Controlled Keys"

To mitigate the risk of using predictable IDs, developers often implement a "unique key" or "token" sent to the user via email. The vulnerability described (Authorization Bypass Through User-Controlled Key) typically indicates one of the following flaws:

  • Key-Object Mismatch: The code checks if a key is provided and if the ID is provided, but it does not verify that the key is the correct one associated with that specific ID in the database.
  • Static or Predictable Keys: The "unique" key is generated using predictable data (like a timestamp or a simple MD5 of the ID), allowing an attacker to generate valid keys.
  • Global Key Acceptance: The system might accept a generic or default key for any ID if the validation logic is flawed (e.g., using a loose comparison like == instead of === or failing to handle null values).

General Research Methodology for IDOR

When analyzing plugins for authorization bypasses, researchers look for specific patterns in the source code:

Endpoint Identification

Researchers identify entry points where user input influences database lookups:

  • AJAX Handlers: Searching for wp_ajax_ and wp_ajax_nopriv_ registrations.
  • Initialization Hooks: Examining init or template_redirect hooks that look for specific $_GET or $_POST parameters (e.g., if ( isset( $_GET['action'] ) && $_GET['action'] == 'cancel' )).

Data Flow Analysis

The researcher traces the input (e.g., reservation_id) to the database query:

  1. Source: intval( $_REQUEST['reservation_id'] ).
  2. Lookup: A query like SELECT * FROM wp_reservations WHERE id = $id.
  3. Missing Guard: The absence of a secondary check, such as AND reservation_key = $key or a check against the current_user_id.

Verification of Security Controls

A secure implementation should verify the identity of the requester. Researchers check for:

  • current_user_can(): Ensures the user has the necessary WordPress capabilities.
  • Nonce Validation: Uses check_ajax_referer() or wp_verify_nonce() to prevent CSRF, although nonces alone do not prevent IDOR if the user is authorized to perform the action generally but not on a specific object.
  • Token Comparison: Ensuring the provided token is cryptographically strong and correctly bound to the object ID.

Remediation Best Practices

To prevent IDOR vulnerabilities, developers should implement the following:

  1. Strict Ownership Checks: Every time an object is accessed or modified based on a user-provided ID, the application must verify that the user has permission for that specific object.
  2. Use Non-Predictable Identifiers: Use UUIDs or high-entropy random strings for public-facing identifiers instead of incremental database IDs.
  3. Harden Validation Logic: Ensure that keys and tokens are validated using strict comparisons and that the lookup query itself includes the key (e.g., $wpdb->prepare("SELECT * FROM table WHERE id = %d AND secret_token = %s", $id, $token)).
  4. Implement Capability Checks: Use WordPress's built-in current_user_can() to restrict sensitive actions to appropriate user roles.

For further information on securing WordPress plugins, you can refer to the WordPress Plugin Handbook's Security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via its reservation management actions. Unauthenticated attackers can cancel or modify reservations by manipulating the reservation ID (rtb-id) parameter in requests, as the plugin fails to verify that the provided unique key (rtb-key) actually belongs to the specific reservation being accessed.

Vulnerable Code

// From includes/Request.class.php or similar request handling logic

if ( isset( $_GET['rtb-action'] ) && $_GET['rtb-action'] == 'cancel' ) {
    $reservation_id = intval( $_GET['rtb-id'] );
    $key = sanitize_text_field( $_GET['rtb-key'] );

    // VULNERABILITY: The code checks if a key is provided, but does not verify
    // if the key matches the record associated with $reservation_id in the database.
    if ( $reservation_id && !empty( $key ) ) {
        $this->cancel_reservation( $reservation_id );
    }
}

Security Fix

--- a/includes/Request.class.php
+++ b/includes/Request.class.php
@@ -142,7 +142,9 @@
 		$reservation_id = intval( $_GET['rtb-id'] );
 		$key = sanitize_text_field( $_GET['rtb-key'] );
 
-		if ( $reservation_id && !empty( $key ) ) {
+		$stored_key = get_post_meta( $reservation_id, 'rtb_reservation_key', true );
+
+		if ( $reservation_id && !empty( $key ) && $key === $stored_key ) {
 			$this->cancel_reservation( $reservation_id );
 		}

Exploit Outline

1. **Identify Target ID**: Determine a valid reservation ID. Since these are often stored as WordPress post IDs or sequential integers in custom tables, they can be discovered or guessed (e.g., 101, 102, 103). 2. **Identify Action Endpoint**: The plugin uses GET parameters to handle reservation actions (confirmation/cancellation) typically sent to the home page or a specific reservation page. 3. **Craft Payload**: Construct a URL with the target `rtb-id` and a dummy or captured `rtb-key`. For example: `https://example.com/?rtb-action=cancel&rtb-id=[TARGET_ID]&rtb-key=[ANY_KEY]`. 4. **Trigger Action**: Because the backend logic only checks for the presence of the `rtb-key` parameter rather than its validity against the specific `rtb-id`, the application will process the cancellation or modification for the victim's reservation ID without authentication.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.