CVE-2026-24529

Quick Restaurant Reservations <= 1.6.7 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Quick Restaurant Reservations plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.6.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.6.7
PublishedJanuary 26, 2026
Last updatedFebruary 2, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24529 (Quick Restaurant Reservations) ## 1. Vulnerability Summary The **Quick Restaurant Reservations** plugin (<= 1.6.7) for WordPress contains a missing authorization vulnerability. Specifically, certain AJAX actions registered via `wp_ajax_nopriv_*` or `wp_…

Show full research plan

Exploitation Research Plan: CVE-2026-24529 (Quick Restaurant Reservations)

1. Vulnerability Summary

The Quick Restaurant Reservations plugin (<= 1.6.7) for WordPress contains a missing authorization vulnerability. Specifically, certain AJAX actions registered via wp_ajax_nopriv_* or wp_ajax_* hooks fail to implement current_user_can() capability checks. This allows unauthenticated attackers to perform administrative or sensitive actions (such as modifying reservation data, canceling bookings, or potentially altering plugin settings) simply by knowing the correct AJAX action and parameters.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST
  • Authentication: None required (Targeting wp_ajax_nopriv_ hooks).
  • Vulnerable Action: Likely related to reservation management (e.g., qrr_cancel_reservation, qrr_update_status, or qrr_save_settings).
  • Payload Parameters:
    • action: The specific AJAX action name.
    • nonce: (Required in most cases, but unauthenticated users can often obtain it).
    • id or reservation_id: The identifier of the resource to manipulate.

3. Code Flow (Manual Audit Steps)

To identify the exact vulnerable path, the agent should perform the following:

  1. Locate AJAX Registrations:
    Search for wp_ajax_nopriv_ to find actions exposed to unauthenticated users.

    grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/quick-restaurant-reservations/
    
  2. Inspect the Handler Function:
    Once an action (e.g., qrr_cancel_reservation) is found, trace it to its handler function.

    • Check 1: Is current_user_can() present? (Authorization check)
    • Check 2: Is check_ajax_referer() or wp_verify_nonce() present? (CSRF protection)
    • Check 3: If a nonce check is present, is it using a generic action string that an unauthenticated user can easily obtain?
  3. Specific File Targets:
    Check includes/class-qrr-ajax.php or public/class-qrr-public.php for registration of reservation-related actions.

4. Nonce Acquisition Strategy

If the vulnerable handler requires a nonce (verified via check_ajax_referer), follow these steps to retrieve it via the browser context:

  1. Identify the Script Localization: Search for wp_localize_script to find the variable name holding the nonce.
    grep -r "wp_localize_script" /var/www/html/wp-content/plugins/quick-restaurant-reservations/
    
    Likely identifier (inferred): qrr_ajax_obj or qrr_vars.
  2. Find the Trigger Shortcode: Search for add_shortcode to find how to render the plugin on the frontend.
    grep -r "add_shortcode" /var/www/html/wp-content/plugins/quick-restaurant-reservations/
    
    Common Shortcode (inferred): [qrr_reservation_form] or [qrr_confirmation].
  3. Setup & Extraction:
    • Create a page: wp post create --post_type=page --post_status=publish --post_content='[SHORTCODE_FOUND]' --post_title='Reservation Test'
    • Navigate to the newly created page using browser_navigate.
    • Extract the nonce: browser_eval("window.qrr_ajax_obj?.nonce") (adjust variable name based on step 1).

5. Exploitation Strategy

Assuming the vulnerability allows unauthenticated reservation cancellation/modification:

  1. Identify Target ID: Use WP-CLI to find an existing reservation ID to target.
    wp post list --post_type=qrr_reservation
    
  2. Construct the Request:
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=[VULNERABLE_ACTION]&nonce=[EXTRACTED_NONCE]&reservation_id=[ID]&status=cancelled
      
  3. Execution: Use the http_request tool to send the payload.

6. Test Data Setup

  1. Plugin Activation: wp plugin activate quick-restaurant-reservations
  2. Create a Reservation:
    Reservations are often stored as a Custom Post Type (qrr_reservation). Create one to manipulate.
    wp post create --post_type=qrr_reservation --post_status=publish --post_title="Guest Reservation"
    
  3. Public Page: Create the page for nonce extraction as described in Section 4.

7. Expected Results

  • HTTP Response: A successful response (e.g., {"success":true} or 1).
  • Impact: The state of the targeted reservation should change (e.g., status updated to "cancelled" or the post deleted).

8. Verification Steps

After sending the exploit request, verify the state change using WP-CLI:

# Check the status of the targeted reservation
wp post get [ID] --field=post_status
# Or check meta if status is stored in user_meta/post_meta
wp post meta list [ID]

9. Alternative Approaches

If no wp_ajax_nopriv_ actions are found, look for wp_ajax_ actions that are missing a current_user_can() check. In this scenario:

  1. Login as a low-privileged user (Subscriber).
  2. Obtain the nonce from the dashboard (often localized in admin.js).
  3. Attempt the request. If it succeeds, it still constitutes a "Missing Authorization" (Broken Access Control) vulnerability because a Subscriber should not be able to manage reservations.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Quick Restaurant Reservations plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on AJAX handlers in versions up to, and including, 1.6.7. This allows unauthenticated attackers to perform sensitive actions, such as canceling or modifying reservations, by interacting with the admin-ajax.php endpoint.

Exploit Outline

To exploit this vulnerability, an attacker first identifies a page on the site where the plugin is active (typically containing a reservation shortcode) to extract a valid AJAX nonce from the localized JavaScript object (e.g., `qrr_ajax_obj.nonce`). With this nonce, the attacker sends an unauthenticated POST request to `/wp-admin/admin-ajax.php` specifying a vulnerable action such as `qrr_cancel_reservation` or `qrr_update_status`, along with the target `reservation_id`. Because the backend handler fails to verify the user's permissions via `current_user_can()`, the server-side logic executes the requested action without authorization.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.