[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQs7CO0yMSpaliV9K3qiW1VXTZhxo-jBoOKpySDZp2Wo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-42670","five-star-restaurant-reservations-wordpress-booking-plugin-missing-authorization-2","Five Star Restaurant Reservations – WordPress Booking Plugin \u003C= 2.7.14 - Missing Authorization","The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.14. This makes it possible for unauthenticated attackers to perform an unauthorized action.","restaurant-reservations",null,"\u003C=2.7.14","2.7.15","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-12 00:00:00","2026-05-19 13:33:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1cbc482f-25b2-4709-8e6a-426fcd5b9fe0?source=api-prod",8,[22,23,24,25,26,27],"assets\u002Fcss\u002Fhelper-install-notice.css","assets\u002Fjs\u002Fhelper-install-notice.js","includes\u002FHelper.class.php","includes\u002FPaymentGatewayStripe.class.php","readme.txt","restaurant-reservations.php","researched",false,3,"# Research Plan: CVE-2026-42670 - Five Star Restaurant Reservations Unauthorized Action\n\n## 1. Vulnerability Summary\nThe **Five Star Restaurant Reservations** plugin (\u003C= 2.7.14) is vulnerable to **Missing Authorization** because it registers certain AJAX actions using `wp_ajax_nopriv_` (unauthenticated) without implementing a subsequent `current_user_can()` check in the handler. Based on the provided source code and JS assets, the primary candidate for this vulnerability is the `rtb_hide_helper_notice` action, which allows users to dismiss administrative installation\u002Fhelper notices. An unauthenticated attacker can trigger this action to modify plugin configuration flags (e.g., hiding notices intended for the admin).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `rtb_hide_helper_notice`\n- **HTTP Method**: POST\n- **Parameters**:\n  - `action`: `rtb_hide_helper_notice` (Required)\n  - `nonce`: The nonce value associated with the action (Required by the JS, but may or may not be verified in PHP).\n- **Authentication**: None (Unauthenticated via `wp_ajax_nopriv_`).\n- **Preconditions**: The plugin must be active. The \"Helper Install Notice\" or \"Installation Walkthrough\" should be in a state where the notice is dismissible.\n\n## 3. Code Flow\n1. **Request Entry**: An unauthenticated POST request is sent to `admin-ajax.php?action=rtb_hide_helper_notice`.\n2. **Hook Registration**: The plugin likely registers the action in `includes\u002FAjax.class.php` (referenced in `restaurant-reservations.php`) or `includes\u002FHelper.class.php` using:\n   ```php\n   add_action( 'wp_ajax_rtb_hide_helper_notice', array( $this, 'hide_helper_notice' ) );\n   add_action( 'wp_ajax_nopriv_rtb_hide_helper_notice', array( $this, 'hide_helper_notice' ) );\n   ```\n3. **Handler Execution**: The handler function (e.g., `hide_helper_notice`) is called.\n4. **Vulnerability**: The handler lacks a `current_user_can( 'manage_options' )` check. It may also lack a strict `check_ajax_referer` or `wp_verify_nonce` check, or use a nonce that is leaked to unauthenticated users.\n5. **Sink**: The handler calls `update_option()` or `update_user_meta()` to mark the notice as hidden (e.g., updating an option like `rtb-helper-notice-hidden`).\n\n## 4. Nonce Acquisition Strategy\nThe frontend JavaScript (`assets\u002Fjs\u002Fhelper-install-notice.js`) relies on a localized object `rtb_helper_notice`:\n```javascript\nvar data = jQuery.param({\n  action: 'rtb_hide_helper_notice',\n  nonce: rtb_helper_notice.nonce\n});\n```\n\nTo obtain this nonce as an unauthenticated user:\n1. **Identify the Trigger**: The \"Helper Install Notice\" is likely displayed when the plugin is active but not fully configured.\n2. **Navigation**: Use `browser_navigate` to the WordPress homepage.\n3. **Extraction**: Many plugins localize their scripts on all pages during setup. Use `browser_eval` to check for the global variable:\n   - `browser_eval(\"window.rtb_helper_notice?.nonce\")`\n4. **Fallback**: If not on the homepage, check if the plugin has a \"Booking Form\" shortcode `[booking-form]`. Create a page with this shortcode and navigate to it:\n   - `wp post create --post_type=page --post_status=publish --post_content='[booking-form]'`\n   - Navigate to the new page and repeat the `browser_eval`.\n\n## 5. Exploitation Strategy\nThe goal is to trigger the dismissal of the helper notice as an unauthenticated user.\n\n1. **Setup**: Ensure the plugin is active.\n2. **Fetch Nonce**: Follow the **Nonce Acquisition Strategy** to retrieve the `rtb_helper_notice.nonce`.\n3. **Send Exploit Payload**:\n   ```bash\n   # Use http_request tool\n   POST \u002Fwp-admin\u002Fadmin-ajax.php\n   Content-Type: application\u002Fx-www-form-urlencoded\n\n   action=rtb_hide_helper_notice&nonce=[EXTRACTED_NONCE]\n   ```\n4. **No-Nonce Attempt**: If extraction fails, attempt the request with a dummy nonce or no nonce at all, as the authorization check itself is the primary missing component.\n\n## 6. Test Data Setup\n1. **Install Plugin**: `restaurant-reservations` version 2.7.14.\n2. **Activate Plugin**: `wp plugin activate restaurant-reservations`\n3. **Verify Initial State**: Check if the option `rtb-helper-notice-hidden` (or similar, verify via `wp option list --search=\"rtb\"`) is currently false or non-existent.\n\n## 7. Expected Results\n- **Response**: The server should return a `200 OK` response, potentially with a JSON body indicating success (e.g., `{\"success\":true}`).\n- **Effect**: The plugin's \"Helper Install Notice\" will no longer appear for the administrator.\n- **Database Change**: An option or user meta key will be updated to reflect that the notice has been dismissed.\n\n## 8. Verification Steps\n1. **Check Database**: Use WP-CLI to verify the state of the configuration:\n   - `wp option get rtb-helper-notice-hidden` (or the actual key found during research).\n2. **Check Admin View**: Log in as an administrator and verify the \"Five Star Restaurant Reservations\" install notice is gone from the dashboard.\n\n## 9. Alternative Approaches\nIf `rtb_hide_helper_notice` is not the culprit, investigate other `wp_ajax_nopriv_` actions in `includes\u002FPaymentGatewayStripe.class.php`:\n- `rtb_stripe_get_intent`\n- `rtb_stripe_pmt_succeed`\nThese actions handle payments. While intended for unauthenticated users, if they allow modification of booking statuses without proper signature\u002Ftoken verification from Stripe, they would constitute a high-impact authorization bypass. However, given the Medium severity, focusing on administrative flags and notices is the most likely path.","gemini-3-flash-preview","2026-05-20 18:08:06","2026-05-20 18:09:57",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","2.7.14","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frestaurant-reservations\u002Ftags\u002F2.7.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frestaurant-reservations.2.7.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frestaurant-reservations\u002Ftags\u002F2.7.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frestaurant-reservations.2.7.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frestaurant-reservations\u002Ftags"]