CVE-2026-0658 – The Five Star Restaurant Reservations WordPress... (How to Fix)

Q: What is the severity of CVE-2026-0658?

CVE-2026-0658 has a CVSS score of 4.3 (MEDIUM). The Five Star Restaurant Reservations WordPress plugin before version 2.7.9 lacks CSRF protection on some bulk actions, allowing attackers to trick logged-in administrators into performing unauthorized actions like deleting bookings. This affects WordPress sites using vulnerable versions of the plugin with administrator accounts.

📋 TL;DR

The Five Star Restaurant Reservations WordPress plugin before version 2.7.9 lacks CSRF protection on some bulk actions, allowing attackers to trick logged-in administrators into performing unauthorized actions like deleting bookings. This affects WordPress sites using vulnerable versions of the plugin with administrator accounts.

💻 Affected Systems

Products:

Five Star Restaurant Reservations WordPress Plugin

Versions: Versions before 2.7.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin enabled and an administrator logged in.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete all restaurant bookings, disrupt business operations, and potentially manipulate other administrative functions if additional vulnerable endpoints exist.

🟠

Likely Case

Targeted deletion of specific bookings or manipulation of reservation data, causing operational disruptions and data loss.

🟢

If Mitigated

Minimal impact if administrators use separate accounts for browsing and administrative tasks, or if CSRF tokens are implemented elsewhere.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick an administrator into clicking a malicious link while authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.9

Vendor Advisory: https://wpscan.com/vulnerability/6e39090e-a4b2-4c16-806f-e2b1c456fb00/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Five Star Restaurant Reservations' and click 'Update Now'. 4. Verify version is 2.7.9 or later.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate five-star-restaurant-reservations

Use Administrator Browser Isolation

all

Use separate browser profiles or incognito mode for administrative tasks only.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block CSRF attempts targeting bulk action endpoints.
Require administrators to use dedicated administrative accounts that are only used for backend tasks and not general browsing.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Five Star Restaurant Reservations. If version is below 2.7.9, it is vulnerable.

Check Version:

wp plugin get five-star-restaurant-reservations --field=version

Verify Fix Applied:

After update, confirm plugin version is 2.7.9 or higher in WordPress admin plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual bulk deletion requests in WordPress logs
CSRF token validation failures if logging enabled

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with bulk action parameters from unexpected referrers

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "action=bulk_delete"

📊 Metadata

CVE ID: CVE-2026-0658

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://wpscan.com/vulnerability/6e39090e-a4b2-4c16-806f-e2b1c456fb00/