CVE-2022-0421 is a medium-severity vulnerability affecting the Five Star Restaurant Reservations WordPress plugin versions prior to 2.4.12. The core issue arises from improper authorization controls and insufficient output encoding or escaping (CWE-116). Specifically, the plugin lacks proper authorization checks when changing the payment status of bookings, allowing unauthenticated attackers to arbitrarily modify payment statuses from successful to failed or vice versa. This unauthorized modification can disrupt booking and payment workflows, potentially leading to financial discrepancies or fraudulent booking confirmations. Additionally, the plugin fails to sanitize and escape output correctly, enabling Cross-Site Scripting (XSS) attacks. An attacker can inject malicious scripts that execute in the context of an authenticated administrator viewing the failed payments page. This XSS vector requires the victim to be logged in and to view the manipulated data, but it can lead to session hijacking, privilege escalation, or further compromise of the WordPress administrative environment. The vulnerability has a CVSS 3.1 base score of 6.1, reflecting network exploitability without privileges but requiring user interaction (an admin viewing the page). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. No known public exploits have been reported, and no official patches or vendor information are available, suggesting the plugin may be from a smaller or less widely known vendor. The vulnerability was published on November 21, 2022, and is tracked by WPScan and CISA, indicating recognition by security authorities.

For European organizations using the Five Star Restaurant Reservations plugin, this vulnerability poses risks to the integrity and reliability of their booking and payment systems. Unauthorized modification of payment statuses can lead to financial losses, customer dissatisfaction, and reputational damage. The XSS vulnerability threatens administrative account security, potentially allowing attackers to hijack sessions or execute arbitrary code within the WordPress admin interface. This could lead to broader site compromise, data leakage, or further malware deployment. Organizations in the hospitality sector, especially small to medium-sized restaurants relying on this plugin for online reservations, are at risk. The impact is heightened for businesses processing sensitive customer payment data under GDPR, as exploitation could lead to data breaches and regulatory penalties. Furthermore, if attackers leverage this vulnerability to disrupt booking operations, it could affect service availability indirectly through operational disruption. Given the unauthenticated nature of the payment status modification, the attack surface is broad, increasing the likelihood of exploitation attempts.

Since no official patches are currently available, European organizations should take immediate compensating controls. First, restrict access to the WordPress admin interface using IP whitelisting or VPNs to limit exposure to trusted personnel only. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests attempting to modify payment statuses or inject scripts. Regularly audit booking and payment records for anomalies indicating unauthorized changes. Disable or remove the Five Star Restaurant Reservations plugin if feasible until a patched version is released. If removal is not possible, consider isolating the plugin's functionality or replacing it with a more secure alternative. Educate administrators to avoid clicking on suspicious links or viewing untrusted input in the admin interface. Enable Content Security Policy (CSP) headers to mitigate the impact of XSS attacks by restricting script execution sources. Monitor security advisories for updates or patches from the plugin vendor or WordPress community. Finally, ensure all WordPress core and other plugins are up to date to reduce the overall attack surface.