Five Star Restaurant Reservations < 2.7.9 – Cross-Site Request Forgery | CVE 2025-68601 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.8. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

restaurant-reservations

Fixed in 2.7.9

References

CVE

URL

https://vdp.patchstack.com/database/Wordpress/Plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

benzdeus

Verified

No

WPVDB ID

b6b73b60-226e-4ce3-b659-6dfb3da17892

Timeline

Publicly Published

2025-12-24 (about 6 months ago)

Added

2026-01-05 (about 5 months ago)

Last Updated

2026-01-17 (about 5 months ago)

Other

Published

Title

Published

2023-08-25

Title

iThemes Sync < 2.1.14 - Cross-Site Request Forgery and Missing Authorization via 'hide_authenticate_notice'

Published

2025-04-14

Title

My auctions allegro < 3.6.34 - Cross-Site Request Forgery

Published

2023-06-27

Title

Salon Booking System < 8.4.8 - User Role change via CSRF

Published

2023-08-07

Title

The Post Grid < 7.2.8 - Block CSS Update via CSRF

Published

2019-06-03

Title

WP Google Maps <= 7.11.27 - Admin Settings CSRF