CVE-2026-42670

Five Star Restaurant Reservations – WordPress Booking Plugin <= 2.7.14 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.7.15
Patched in
8d
Time to patch

Description

The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.14. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.7.14
PublishedMay 12, 2026
Last updatedMay 19, 2026

What Changed in the Fix

Changes introduced in v2.7.15

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2026-42670 - Five Star Restaurant Reservations Unauthorized Action ## 1. Vulnerability Summary The **Five Star Restaurant Reservations** plugin (<= 2.7.14) is vulnerable to **Missing Authorization** because it registers certain AJAX actions using `wp_ajax_nopriv_` (unauthentica…

Show full research plan

Research Plan: CVE-2026-42670 - Five Star Restaurant Reservations Unauthorized Action

1. Vulnerability Summary

The Five Star Restaurant Reservations plugin (<= 2.7.14) is vulnerable to Missing Authorization because it registers certain AJAX actions using wp_ajax_nopriv_ (unauthenticated) without implementing a subsequent current_user_can() check in the handler. Based on the provided source code and JS assets, the primary candidate for this vulnerability is the rtb_hide_helper_notice action, which allows users to dismiss administrative installation/helper notices. An unauthenticated attacker can trigger this action to modify plugin configuration flags (e.g., hiding notices intended for the admin).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: rtb_hide_helper_notice
  • HTTP Method: POST
  • Parameters:
    • action: rtb_hide_helper_notice (Required)
    • nonce: The nonce value associated with the action (Required by the JS, but may or may not be verified in PHP).
  • Authentication: None (Unauthenticated via wp_ajax_nopriv_).
  • Preconditions: The plugin must be active. The "Helper Install Notice" or "Installation Walkthrough" should be in a state where the notice is dismissible.

3. Code Flow

  1. Request Entry: An unauthenticated POST request is sent to admin-ajax.php?action=rtb_hide_helper_notice.
  2. Hook Registration: The plugin likely registers the action in includes/Ajax.class.php (referenced in restaurant-reservations.php) or includes/Helper.class.php using:
    add_action( 'wp_ajax_rtb_hide_helper_notice', array( $this, 'hide_helper_notice' ) );
    add_action( 'wp_ajax_nopriv_rtb_hide_helper_notice', array( $this, 'hide_helper_notice' ) );
    
  3. Handler Execution: The handler function (e.g., hide_helper_notice) is called.
  4. Vulnerability: The handler lacks a current_user_can( 'manage_options' ) check. It may also lack a strict check_ajax_referer or wp_verify_nonce check, or use a nonce that is leaked to unauthenticated users.
  5. Sink: The handler calls update_option() or update_user_meta() to mark the notice as hidden (e.g., updating an option like rtb-helper-notice-hidden).

4. Nonce Acquisition Strategy

The frontend JavaScript (assets/js/helper-install-notice.js) relies on a localized object rtb_helper_notice:

var data = jQuery.param({
  action: 'rtb_hide_helper_notice',
  nonce: rtb_helper_notice.nonce
});

To obtain this nonce as an unauthenticated user:

  1. Identify the Trigger: The "Helper Install Notice" is likely displayed when the plugin is active but not fully configured.
  2. Navigation: Use browser_navigate to the WordPress homepage.
  3. Extraction: Many plugins localize their scripts on all pages during setup. Use browser_eval to check for the global variable:
    • browser_eval("window.rtb_helper_notice?.nonce")
  4. Fallback: If not on the homepage, check if the plugin has a "Booking Form" shortcode [booking-form]. Create a page with this shortcode and navigate to it:
    • wp post create --post_type=page --post_status=publish --post_content='[booking-form]'
    • Navigate to the new page and repeat the browser_eval.

5. Exploitation Strategy

The goal is to trigger the dismissal of the helper notice as an unauthenticated user.

  1. Setup: Ensure the plugin is active.
  2. Fetch Nonce: Follow the Nonce Acquisition Strategy to retrieve the rtb_helper_notice.nonce.
  3. Send Exploit Payload:
    # Use http_request tool
    POST /wp-admin/admin-ajax.php
    Content-Type: application/x-www-form-urlencoded
    
    action=rtb_hide_helper_notice&nonce=[EXTRACTED_NONCE]
    
  4. No-Nonce Attempt: If extraction fails, attempt the request with a dummy nonce or no nonce at all, as the authorization check itself is the primary missing component.

6. Test Data Setup

  1. Install Plugin: restaurant-reservations version 2.7.14.
  2. Activate Plugin: wp plugin activate restaurant-reservations
  3. Verify Initial State: Check if the option rtb-helper-notice-hidden (or similar, verify via wp option list --search="rtb") is currently false or non-existent.

7. Expected Results

  • Response: The server should return a 200 OK response, potentially with a JSON body indicating success (e.g., {"success":true}).
  • Effect: The plugin's "Helper Install Notice" will no longer appear for the administrator.
  • Database Change: An option or user meta key will be updated to reflect that the notice has been dismissed.

8. Verification Steps

  1. Check Database: Use WP-CLI to verify the state of the configuration:
    • wp option get rtb-helper-notice-hidden (or the actual key found during research).
  2. Check Admin View: Log in as an administrator and verify the "Five Star Restaurant Reservations" install notice is gone from the dashboard.

9. Alternative Approaches

If rtb_hide_helper_notice is not the culprit, investigate other wp_ajax_nopriv_ actions in includes/PaymentGatewayStripe.class.php:

  • rtb_stripe_get_intent
  • rtb_stripe_pmt_succeed
    These actions handle payments. While intended for unauthenticated users, if they allow modification of booking statuses without proper signature/token verification from Stripe, they would constitute a high-impact authorization bypass. However, given the Medium severity, focusing on administrative flags and notices is the most likely path.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.