Five Star Restaurant Reservations – WordPress Booking Plugin <= 2.7.14 - Missing Authorization
Description
The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.14. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.7.14What Changed in the Fix
Changes introduced in v2.7.15
Source Code
WordPress.org SVN# Research Plan: CVE-2026-42670 - Five Star Restaurant Reservations Unauthorized Action ## 1. Vulnerability Summary The **Five Star Restaurant Reservations** plugin (<= 2.7.14) is vulnerable to **Missing Authorization** because it registers certain AJAX actions using `wp_ajax_nopriv_` (unauthentica…
Show full research plan
Research Plan: CVE-2026-42670 - Five Star Restaurant Reservations Unauthorized Action
1. Vulnerability Summary
The Five Star Restaurant Reservations plugin (<= 2.7.14) is vulnerable to Missing Authorization because it registers certain AJAX actions using wp_ajax_nopriv_ (unauthenticated) without implementing a subsequent current_user_can() check in the handler. Based on the provided source code and JS assets, the primary candidate for this vulnerability is the rtb_hide_helper_notice action, which allows users to dismiss administrative installation/helper notices. An unauthenticated attacker can trigger this action to modify plugin configuration flags (e.g., hiding notices intended for the admin).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
rtb_hide_helper_notice - HTTP Method: POST
- Parameters:
action:rtb_hide_helper_notice(Required)nonce: The nonce value associated with the action (Required by the JS, but may or may not be verified in PHP).
- Authentication: None (Unauthenticated via
wp_ajax_nopriv_). - Preconditions: The plugin must be active. The "Helper Install Notice" or "Installation Walkthrough" should be in a state where the notice is dismissible.
3. Code Flow
- Request Entry: An unauthenticated POST request is sent to
admin-ajax.php?action=rtb_hide_helper_notice. - Hook Registration: The plugin likely registers the action in
includes/Ajax.class.php(referenced inrestaurant-reservations.php) orincludes/Helper.class.phpusing:add_action( 'wp_ajax_rtb_hide_helper_notice', array( $this, 'hide_helper_notice' ) ); add_action( 'wp_ajax_nopriv_rtb_hide_helper_notice', array( $this, 'hide_helper_notice' ) ); - Handler Execution: The handler function (e.g.,
hide_helper_notice) is called. - Vulnerability: The handler lacks a
current_user_can( 'manage_options' )check. It may also lack a strictcheck_ajax_refererorwp_verify_noncecheck, or use a nonce that is leaked to unauthenticated users. - Sink: The handler calls
update_option()orupdate_user_meta()to mark the notice as hidden (e.g., updating an option likertb-helper-notice-hidden).
4. Nonce Acquisition Strategy
The frontend JavaScript (assets/js/helper-install-notice.js) relies on a localized object rtb_helper_notice:
var data = jQuery.param({
action: 'rtb_hide_helper_notice',
nonce: rtb_helper_notice.nonce
});
To obtain this nonce as an unauthenticated user:
- Identify the Trigger: The "Helper Install Notice" is likely displayed when the plugin is active but not fully configured.
- Navigation: Use
browser_navigateto the WordPress homepage. - Extraction: Many plugins localize their scripts on all pages during setup. Use
browser_evalto check for the global variable:browser_eval("window.rtb_helper_notice?.nonce")
- Fallback: If not on the homepage, check if the plugin has a "Booking Form" shortcode
[booking-form]. Create a page with this shortcode and navigate to it:wp post create --post_type=page --post_status=publish --post_content='[booking-form]'- Navigate to the new page and repeat the
browser_eval.
5. Exploitation Strategy
The goal is to trigger the dismissal of the helper notice as an unauthenticated user.
- Setup: Ensure the plugin is active.
- Fetch Nonce: Follow the Nonce Acquisition Strategy to retrieve the
rtb_helper_notice.nonce. - Send Exploit Payload:
# Use http_request tool POST /wp-admin/admin-ajax.php Content-Type: application/x-www-form-urlencoded action=rtb_hide_helper_notice&nonce=[EXTRACTED_NONCE] - No-Nonce Attempt: If extraction fails, attempt the request with a dummy nonce or no nonce at all, as the authorization check itself is the primary missing component.
6. Test Data Setup
- Install Plugin:
restaurant-reservationsversion 2.7.14. - Activate Plugin:
wp plugin activate restaurant-reservations - Verify Initial State: Check if the option
rtb-helper-notice-hidden(or similar, verify viawp option list --search="rtb") is currently false or non-existent.
7. Expected Results
- Response: The server should return a
200 OKresponse, potentially with a JSON body indicating success (e.g.,{"success":true}). - Effect: The plugin's "Helper Install Notice" will no longer appear for the administrator.
- Database Change: An option or user meta key will be updated to reflect that the notice has been dismissed.
8. Verification Steps
- Check Database: Use WP-CLI to verify the state of the configuration:
wp option get rtb-helper-notice-hidden(or the actual key found during research).
- Check Admin View: Log in as an administrator and verify the "Five Star Restaurant Reservations" install notice is gone from the dashboard.
9. Alternative Approaches
If rtb_hide_helper_notice is not the culprit, investigate other wp_ajax_nopriv_ actions in includes/PaymentGatewayStripe.class.php:
rtb_stripe_get_intentrtb_stripe_pmt_succeed
These actions handle payments. While intended for unauthenticated users, if they allow modification of booking statuses without proper signature/token verification from Stripe, they would constitute a high-impact authorization bypass. However, given the Medium severity, focusing on administrative flags and notices is the most likely path.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.