WordPress Plugin Vulnerabilities

Five Star Restaurant Reservations < 2.4.12 - Unauthenticated Arbitrary Payment Status Update to Stored XSS

Description

The plugin does not have authorisation when changing whether a payment was successful or failed, allowing unauthenticated users to change the payment status of arbitrary bookings. Furthermore, due to the lack of sanitisation and escaping, attackers could perform Cross-Site Scripting attacks against a logged in admin viewing the failed payments

Proof of Concept

Affects Plugins

Plugin icon
restaurant-reservations
Fixed in 2.4.12

References

CVE
CVE-2022-0421

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
145e8d3c-cd6f-4827-86e5-ea2d395a80b9

Timeline

Publicly Published
2022-02-05 (about 3 years ago)
Added
2022-10-31 (about 3 years ago)
Last Updated
2022-10-31 (about 3 years ago)

Other

Published
Title
Published
2025-10-02
Title
Constructor <= 1.6.5 - Missing Authorization to Authenticated (Subscriber+) Theme Clean
Published
2025-05-30
Title
Woo Slider Pro <= 1.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2025-10-19
Title
Sendle Shipping < 6.03 - Missing Authorization
Published
2025-01-31
Title
WordPress Contact Forms by Cimatti < 1.9.5 - Missing Authorization to Unauthenticated Form Submission Download
Published
2024-04-25
Title
EPROLO Dropshipping < 1.7.2 - Missing Authorization