CVE-2026-6498: CWE-345 Insufficient Verification of Data Authenticity in rustaurius Five Star Restaurant Reservations – WordPress Booking Plugin
The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the valid_payment() function using a PHP loose comparison (==) between the attacker-controlled payment_id POST parameter and the booking's stripe_payment_intent_id property. When an unauthenticated attacker submits a request to the nopriv AJAX handler rtb_stripe_pmt_succeed before the Stripe payment intent has been created for a booking (i.e., before the JavaScript-triggered create_stripe_pmtIntnt() call has stored an intent ID in post meta), the stripe_payment_intent_id property on the booking object remains null. The comparison sanitize_text_field('') == null evaluates to TRUE in PHP loose comparison, causing the payment verification check to pass with zero actual payment. This makes it possible for unauthenticated attackers to mark any existing payment_pending booking as paid without completing a Stripe payment by submitting an empty payment_id parameter.
AI Analysis
Technical Summary
CVE-2026-6498 is a vulnerability in the Five Star Restaurant Reservations WordPress plugin caused by insufficient verification of data authenticity (CWE-345). The valid_payment() function uses a PHP loose equality check (==) between the payment_id POST parameter and the booking object's stripe_payment_intent_id. If the stripe_payment_intent_id is null (before Stripe payment intent creation), submitting an empty payment_id results in the comparison evaluating to true, enabling an unauthenticated attacker to bypass payment and mark bookings as paid without completing a Stripe payment. This affects versions up to and including 2.7.16.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass payment verification and mark any existing payment_pending booking as paid without making an actual Stripe payment. This can lead to unauthorized free bookings and potential financial loss for the merchant. There is no confidentiality or availability impact indicated.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available. Users should monitor the vendor's advisory for updates. Until a patch is released, consider implementing additional server-side validation to ensure payment intent IDs are properly verified and avoid relying on PHP loose comparisons for critical payment verification logic.
CVE-2026-6498: CWE-345 Insufficient Verification of Data Authenticity in rustaurius Five Star Restaurant Reservations – WordPress Booking Plugin
Description
The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the valid_payment() function using a PHP loose comparison (==) between the attacker-controlled payment_id POST parameter and the booking's stripe_payment_intent_id property. When an unauthenticated attacker submits a request to the nopriv AJAX handler rtb_stripe_pmt_succeed before the Stripe payment intent has been created for a booking (i.e., before the JavaScript-triggered create_stripe_pmtIntnt() call has stored an intent ID in post meta), the stripe_payment_intent_id property on the booking object remains null. The comparison sanitize_text_field('') == null evaluates to TRUE in PHP loose comparison, causing the payment verification check to pass with zero actual payment. This makes it possible for unauthenticated attackers to mark any existing payment_pending booking as paid without completing a Stripe payment by submitting an empty payment_id parameter.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6498 is a vulnerability in the Five Star Restaurant Reservations WordPress plugin caused by insufficient verification of data authenticity (CWE-345). The valid_payment() function uses a PHP loose equality check (==) between the payment_id POST parameter and the booking object's stripe_payment_intent_id. If the stripe_payment_intent_id is null (before Stripe payment intent creation), submitting an empty payment_id results in the comparison evaluating to true, enabling an unauthenticated attacker to bypass payment and mark bookings as paid without completing a Stripe payment. This affects versions up to and including 2.7.16.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass payment verification and mark any existing payment_pending booking as paid without making an actual Stripe payment. This can lead to unauthorized free bookings and potential financial loss for the merchant. There is no confidentiality or availability impact indicated.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available. Users should monitor the vendor's advisory for updates. Until a patch is released, consider implementing additional server-side validation to ensure payment intent IDs are properly verified and avoid relying on PHP loose comparisons for critical payment verification logic.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-17T09:18:40.690Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f3499ecbff5d8610da76fb
Added to database: 4/30/2026, 12:22:54 PM
Last enriched: 4/30/2026, 12:36:21 PM
Last updated: 6/13/2026, 6:28:36 PM
Views: 81
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.