CVE-2026-0658 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Five Star Restaurant Reservations WordPress plugin prior to version 2.7.9. The vulnerability stems from missing CSRF token validation in some bulk action functionalities within the plugin. CSRF attacks exploit the trust a web application places in a logged-in user by tricking that user into submitting unintended requests. In this case, an attacker can craft a malicious webpage or link that, when visited by an authenticated administrator of a WordPress site using the vulnerable plugin, triggers unauthorized bulk actions such as deleting multiple bookings. This can lead to loss of critical reservation data and disrupt business operations. The vulnerability requires the attacker to have the victim logged in with administrative privileges, and the victim must interact with the attack vector (e.g., visiting a malicious site). There are no known public exploits or patches currently available, and the CVSS score has not been assigned. The vulnerability is classified under CWE-352, which covers CSRF weaknesses. The plugin is widely used in hospitality-related WordPress sites, making it a relevant threat to organizations managing restaurant reservations online.

For European organizations, particularly those in the hospitality and restaurant sectors relying on WordPress with the Five Star Restaurant Reservations plugin, this vulnerability could lead to unauthorized deletion of booking data, causing operational disruption and reputational damage. Loss of reservation data can result in customer dissatisfaction, financial loss, and potential legal consequences under data protection regulations such as GDPR if customer information is affected. The integrity and availability of reservation systems are at risk, potentially impacting business continuity. Since the attack requires administrative credentials and user interaction, the risk is somewhat mitigated but remains significant for organizations with multiple administrators or less stringent user security awareness. The disruption could be more severe for large-scale restaurant chains or booking platforms operating across multiple European countries.

1. Immediately monitor for updates to the Five Star Restaurant Reservations plugin and apply version 2.7.9 or later once released, as it will likely contain the necessary CSRF protections. 2. Until an official patch is available, implement web application firewall (WAF) rules to detect and block suspicious CSRF attack patterns targeting bulk action endpoints of the plugin. 3. Educate WordPress administrators to avoid clicking on untrusted links or visiting suspicious websites while logged into admin accounts. 4. Limit the number of users with administrative privileges to reduce the attack surface. 5. Consider deploying additional CSRF tokens or nonce validation mechanisms via custom plugin modifications or security plugins that enhance CSRF protections. 6. Regularly back up reservation data to enable recovery in case of data deletion. 7. Conduct security audits and penetration testing focused on WordPress plugins to identify similar vulnerabilities proactively.