Security Alert Summary
The Five Star Restaurant Reservations WordPress plugin contains a cross-site request forgery (CSRF) weakness in some bulk action handlers in versions before 2.7.9. An attacker able to induce an authenticated administrator to visit a crafted page could trigger unwanted actions, such as deletion of bookings, by exploiting the missing CSRF checks.
CVE Details
- CVE ID: CVE-2026-0658
- Affected component: Five Star Restaurant Reservations WordPress plugin
- Affected versions: before 2.7.9
- Published: February 2, 2026 at 07:16:44 AM UTC
- Last modified: February 2, 2026 at 03:16:30 PM UTC
- CVSS v3.1: Base Score 4.3 — MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - Authentication / privileges / user interaction: No privileges required (PR:N); user interaction required (UI:R)
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE: CWE-352 (Cross-Site Request Forgery)
Technical Details
The plugin lacks CSRF protections on some bulk action handlers. Because those handlers do not verify a valid CSRF token or equivalent nonce, an attacker can craft a page that triggers the bulk action when a logged-in administrator (or another privileged user) views it. The CVE description specifically notes deletion of bookings as an example of an unwanted action that could be performed via CSRF. No specific functions or REST endpoints are named in the CVE entry.
The root cause is missing CSRF checks on server-side action handlers; without server-side verification of intent (for example, checking a nonce or token tied to the authenticated session), the application cannot distinguish legitimate requests from attacker-crafted requests that a browser will faithfully execute on behalf of an authenticated user.
How This Could Impact Your Website
Consider a site with multiple users: a site owner, an internal staff member who manages bookings, and an external contractor who occasionally logs in to update content. If an administrator or staff member with sufficient permissions is tricked into visiting an attacker-controlled page, the attacker could trigger bulk actions in the plugin—such as deleting bookings—without additional authentication.
Practical consequences include loss or alteration of booking data and the operational disruption of reservation workflows. While the CVSS impacts indicate limited integrity effects rather than full system compromise, unauthorized deletion or modification of booking records can still cause customer service issues and data recovery overhead. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors and editors who do not need administrative permissions.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, such as unexpected bulk actions or deletions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
