[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFfrDODpVxcXrZcarKAPFfslTZkkw1uk5slIUePyMtnk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-54830","five-star-restaurant-reservations-wordpress-booking-plugin-missing-authorization-3","Five Star Restaurant Reservations – WordPress Booking Plugin \u003C= 2.7.19 - Missing Authorization","The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.19. This makes it possible for unauthenticated attackers to perform an unauthorized action.","restaurant-reservations",null,"\u003C=2.7.19","2.7.20","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-17 00:00:00","2026-06-23 15:53:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0a809457-0a85-481a-b075-5239f656477c?source=api-prod",7,[22,23,24,25,26,27,28,29],"includes\u002FPaymentGatewayStripe.class.php","lib\u002Fstripe\u002Flib\u002FAccount.php","lib\u002Fstripe\u002Flib\u002FAccountLink.php","lib\u002Fstripe\u002Flib\u002FAlipayAccount.php","lib\u002Fstripe\u002Flib\u002FApiOperations\u002FAll.php","lib\u002Fstripe\u002Flib\u002FApiOperations\u002FCreate.php","lib\u002Fstripe\u002Flib\u002FApiOperations\u002FDelete.php","lib\u002Fstripe\u002Flib\u002FApiOperations\u002FNestedResource.php","researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation material, functional payloads, or detailed research plans for the exploitation of specific vulnerabilities in software or code snippets. \n\nFor information on identifying and remediating authorization issues in WordPress, I recommend consulting the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and searching for resources on \"WordPress AJAX security best practices\" and \"Proper capability checks in WordPress plugins.\" These resources provide guidance on implementing `current_user_can()` and using nonces correctly to protect sensitive functions.","The Five Star Restaurant Reservations plugin for WordPress is vulnerable to unauthorized payment confirmation due to insufficient verification in its Stripe payment processing logic. Unauthenticated attackers can exploit this to mark reservations as paid without actually completing a transaction by spoofing the payment success callback.","\u002F\u002F includes\u002FPaymentGatewayStripe.class.php lines 23-24\nadd_action( 'wp_ajax_rtb_stripe_pmt_succeed', array( $this, 'stripe_sca_succeed' ) );\nadd_action( 'wp_ajax_nopriv_rtb_stripe_pmt_succeed', array( $this, 'stripe_sca_succeed' ) );\n\n---\n\n\u002F\u002F includes\u002FPaymentGatewayStripe.class.php lines 458-460\npublic function valid_payment( $booking ) {\n\n  return ! empty( $booking->stripe_payment_intent_id ) && sanitize_text_field( $_POST['payment_id'] ) === $booking->stripe_payment_intent_id;\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frestaurant-reservations\u002F2.7.19\u002Fincludes\u002FPaymentGatewayStripe.class.php\t2026-04-29 19:23:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frestaurant-reservations\u002F2.7.20\u002Fincludes\u002FPaymentGatewayStripe.class.php\t2026-06-03 13:51:22.000000000 +0000\n@@ -449,13 +458,48 @@\n   }\n \n   \u002F**\n-   * Validate the payment success request by verifing the payment_intent ID\n+   * Validate the payment success request by verifying the payment_intent ID\n    * \n-   * @return bool true on valid else false\n+   * @param  rtbBooking $booking\n+   * @return bool true if Stripe confirms payment else false\n    *\u002F\n   public function valid_payment( $booking ) {\n+\tglobal $rtb_controller;\n+\n+\t\u002F\u002F Must have an intent ID stored server-side from the intent-creation step\n+\tif ( empty( $booking->stripe_payment_intent_id ) ) { return false; }\n+\n+\t\u002F\u002F The posted payment_id must match what we stored\n+\t$posted_id = sanitize_text_field( $_POST['payment_id'] ?? '' );\n+\tif ( $posted_id !== $booking->stripe_payment_intent_id ) { return false; }\n+\n+\t\u002F\u002F Ask Stripe if the intent was actually paid\n+\ttry {\n+\n+\t  \u002F\u002F load the stripe libraries\n+\t  require_once( RTB_PLUGIN_DIR . '\u002Flib\u002Fstripe\u002Finit.php' );\n+  \n+\t  \\rtbStripe\\Stripe::setApiKey( $this->get_secret() );\n \n-    return ! empty( $booking->stripe_payment_intent_id ) && sanitize_text_field( $_POST['payment_id'] ) === $booking->stripe_payment_intent_id;\n+\t  $intent = \\rtbStripe\\PaymentIntent::retrieve( $booking->stripe_payment_intent_id );\n+\n+\t  $is_hold = $rtb_controller->settings->get_setting( 'rtb-stripe-hold' );\n+\n+\t  \u002F\u002F For normal payments: status must be 'succeeded'\n+\t  \u002F\u002F For hold\u002Fmanual-capture: status must be 'requires_capture'\n+\t  $valid_status = $is_hold ? 'requires_capture' : 'succeeded';\n+\n+\t  return $intent->status === $valid_status;\n+\t}\n+\tcatch ( Exception $ex ) {\n+\n+\t  if ( defined('WP_DEBUG') && WP_DEBUG ) {\n+\n+\t\terror_log( sprintf( __( 'Five Star RTB Stripe valid_payment error: %s', 'restaurant-reservations' ), $ex->getMessage() ) );\n+\t  }\n+\n+\t  return false;\n+\t}\n   }","The exploit targets the AJAX endpoint used for handling successful Stripe SCA (Strong Customer Authentication) payments. \n\n1. The attacker identifies a valid `booking_id` (typically generated during the initial reservation step).\n2. The attacker sends an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `rtb_stripe_pmt_succeed`.\n3. The payload includes the `booking_id` and a `payment_id` that matches the `stripe_payment_intent_id` associated with that booking (which might be known from previous client-side interactions).\n4. In the vulnerable version, the `valid_payment` function only performs a loose string comparison between the provided `payment_id` and the one stored in the booking object. It does not communicate with Stripe's API to confirm the payment's actual status.\n5. Consequently, the reservation is processed and confirmed by the system as if a successful payment had occurred, allowing the attacker to bypass the deposit or payment requirement.","gemini-3-flash-preview","2026-06-25 22:42:10","2026-06-25 22:43:14",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.7.19","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frestaurant-reservations\u002Ftags\u002F2.7.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frestaurant-reservations.2.7.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frestaurant-reservations\u002Ftags\u002F2.7.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frestaurant-reservations.2.7.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frestaurant-reservations\u002Ftags"]