{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0658", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-01-06T19:46:02.313Z", "datePublished": "2026-02-02T06:00:03.784Z", "dateUpdated": "2026-02-02T14:53:22.633Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-02-02T06:00:03.784Z"}, "title": "Five Star Restaurant Reservations < 2.7.9 - Arbitrary Bookings Deletion via CSRF", "problemTypes": [{"descriptions": [{"description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Five Star Restaurant Reservations", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "2.7.9"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks."}], "references": [{"url": "https://wpscan.com/vulnerability/6e39090e-a4b2-4c16-806f-e2b1c456fb00/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Bob Matyas", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T14:51:28.975273Z", "id": "CVE-2026-0658", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T14:53:22.633Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0658", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T14:51:28.975273Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T14:52:41.853Z"}}], "cna": {"title": "Five Star Restaurant Reservations < 2.7.9 - Arbitrary Bookings Deletion via CSRF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bob Matyas"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Five Star Restaurant Reservations", "versions": [{"status": "affected", "version": "0", "lessThan": "2.7.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/6e39090e-a4b2-4c16-806f-e2b1c456fb00/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-02-02T06:00:03.784Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0658", "state": "PUBLISHED", "dateUpdated": "2026-02-02T14:53:22.633Z", "dateReserved": "2026-01-06T19:46:02.313Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-02-02T06:00:03.784Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks."}, {"lang": "es", "value": "El plugin de WordPress Five Star Restaurant Reservations anterior a la versi\u00f3n 2.7.9 no tiene comprobaciones CSRF en algunas acciones masivas, lo que podr\u00eda permitir a los atacantes hacer que los administradores que han iniciado sesi\u00f3n realicen acciones no deseadas, como eliminar reservas a trav\u00e9s de ataques CSRF."}], "id": "CVE-2026-0658", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-02T07:16:44.803", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/6e39090e-a4b2-4c16-806f-e2b1c456fb00/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:44:30.233109+00:00", "value": {"mitigation_remediation": ["Upgrade the Five Star Restaurant Reservations plugin to version\u00a02.7.9 or later.", "Require users to log out or use two\u2011factor authentication after administrative operations to reduce the window for a CSRF attack.", "Review WordPress admin logs for unexpected bulk deletion events and investigate anomalous activity."], "summary": {"action": "Patch", "impact": "Unwanted deletion of restaurant reservations via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Five Star Restaurant Reservations plugin for WordPress in all versions earlier than 2.7.9. Administrators using these versions are at risk of having their booking data erased via crafted requests sent from a malicious site.", "description_and_impact": "The Five Star Restaurant Reservations WordPress plugin before version 2.7.9 lacks cross\u2011site request forgery protection for certain bulk booking actions, which can allow an attacker to manipulate a logged\u2011in administrator into deleting reservations. This weakness is an example of CWE\u2011352, where an unauthorized user forces a legitimate user to perform an unintended action without confirmation of intent.", "risk_and_exploitability": "The vulnerability has a moderate CVSS score of 4.3 and a very low exploitation probability (EPSS\u00a0<\u00a01\u202f%). It is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to coerce a legitimate administrator to process a malicious request, typically by embedding a CSRF link in a fraud or phishing page. Because the exploit requires a logged\u2011in admin session, its likelihood is limited to scenarios where administrators are unaware of the attacker\u2019s presence, making this a moderate but opportunistic risk."}}}}, "created": "2026-02-04T12:44:45.519961+00:00", "updated": "2026-04-18T00:45:32.247502+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}