CVE-2026-0658 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Five Star Restaurant Reservations WordPress plugin, specifically in versions before 2.7.9. The vulnerability stems from the absence of CSRF token validation in some bulk action functionalities within the plugin. CSRF attacks exploit the trust a web application places in a user's browser by tricking authenticated users into submitting unwanted requests. In this case, an attacker can craft a malicious webpage or link that, when visited by a logged-in administrator of a WordPress site using the vulnerable plugin, triggers unauthorized bulk actions such as deleting multiple restaurant bookings. This attack compromises the integrity of booking data by allowing unauthorized deletion without the admin's explicit consent. The vulnerability does not impact confidentiality or availability directly, as it does not expose sensitive data or cause denial of service. Exploitation requires the victim to be authenticated with administrative privileges and to interact with the attacker's content, making social engineering a component of the attack vector. The CVSS v3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. No public exploits have been reported yet, but the vulnerability is published and recognized by WPScan and the CVE database. The plugin is commonly used by restaurants to manage reservations on WordPress sites, making it a relevant target for attackers aiming to disrupt hospitality services or cause operational issues.

For European organizations, particularly those in the hospitality and restaurant sectors using WordPress with the Five Star Restaurant Reservations plugin, this vulnerability poses a risk to the integrity of their booking data. Unauthorized deletion of bookings can lead to operational disruptions, loss of customer trust, and potential financial losses due to missed reservations. While the vulnerability does not expose sensitive personal data or cause service outages, the manipulation of booking records can degrade service quality and damage reputation. Attackers could leverage this vulnerability to cause confusion or sabotage competitors by deleting legitimate bookings. The requirement for an authenticated admin user to be tricked into visiting a malicious page limits the scope but does not eliminate the risk, especially in environments with less stringent user awareness or where phishing attacks are prevalent. European organizations with high WordPress usage and significant online booking operations are more exposed. Additionally, regulatory frameworks like GDPR emphasize data integrity and operational reliability, so such incidents could have compliance implications if they lead to service failures or customer complaints.

The primary mitigation is to update the Five Star Restaurant Reservations plugin to version 2.7.9 or later, where CSRF protections have been implemented for all bulk actions. Organizations should ensure that all WordPress plugins are kept up to date as part of routine maintenance. Additionally, administrators should be trained to recognize phishing and social engineering attempts to reduce the risk of being tricked into executing malicious actions. Implementing Content Security Policy (CSP) headers and SameSite cookie attributes can help mitigate CSRF risks by restricting cross-origin requests. Employing multi-factor authentication (MFA) for admin accounts can reduce the risk of compromised credentials being used in conjunction with CSRF attacks. Regular backups of booking data should be maintained to allow recovery in case of unauthorized deletions. Finally, monitoring and logging admin actions can help detect suspicious activities early and enable rapid response.