CVE-2026-6498: CWE-345 Insufficient Verification of Data Authenticity in rustaurius Five Star Restaurant Reservations – WordPress Booking Plugin
The Five Star Restaurant Reservations WordPress plugin (up to version 2. 7. 16) contains a vulnerability where an unauthenticated attacker can bypass payment verification. This occurs due to a PHP loose comparison in the valid_payment() function between a user-controlled payment_id parameter and the booking's stripe_payment_intent_id property. When the stripe_payment_intent_id is null (before a Stripe payment intent is created), the comparison incorrectly evaluates as true if the attacker submits an empty payment_id, allowing the attacker to mark bookings as paid without actual payment.
AI Analysis
Technical Summary
CVE-2026-6498 is a vulnerability in the Five Star Restaurant Reservations WordPress plugin caused by insufficient verification of data authenticity (CWE-345). The valid_payment() function uses a PHP loose equality check (==) between the payment_id POST parameter and the booking object's stripe_payment_intent_id. If the stripe_payment_intent_id is null (before Stripe payment intent creation), submitting an empty payment_id results in the comparison evaluating to true, enabling an unauthenticated attacker to bypass payment and mark bookings as paid without completing a Stripe payment. This affects versions up to and including 2.7.16.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass payment verification and mark any existing payment_pending booking as paid without making an actual Stripe payment. This can lead to unauthorized free bookings and potential financial loss for the merchant. There is no confidentiality or availability impact indicated.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available. Users should monitor the vendor's advisory for updates. Until a patch is released, consider implementing additional server-side validation to ensure payment intent IDs are properly verified and avoid relying on PHP loose comparisons for critical payment verification logic.
CVE-2026-6498: CWE-345 Insufficient Verification of Data Authenticity in rustaurius Five Star Restaurant Reservations – WordPress Booking Plugin
Description
The Five Star Restaurant Reservations WordPress plugin (up to version 2. 7. 16) contains a vulnerability where an unauthenticated attacker can bypass payment verification. This occurs due to a PHP loose comparison in the valid_payment() function between a user-controlled payment_id parameter and the booking's stripe_payment_intent_id property. When the stripe_payment_intent_id is null (before a Stripe payment intent is created), the comparison incorrectly evaluates as true if the attacker submits an empty payment_id, allowing the attacker to mark bookings as paid without actual payment.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6498 is a vulnerability in the Five Star Restaurant Reservations WordPress plugin caused by insufficient verification of data authenticity (CWE-345). The valid_payment() function uses a PHP loose equality check (==) between the payment_id POST parameter and the booking object's stripe_payment_intent_id. If the stripe_payment_intent_id is null (before Stripe payment intent creation), submitting an empty payment_id results in the comparison evaluating to true, enabling an unauthenticated attacker to bypass payment and mark bookings as paid without completing a Stripe payment. This affects versions up to and including 2.7.16.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass payment verification and mark any existing payment_pending booking as paid without making an actual Stripe payment. This can lead to unauthorized free bookings and potential financial loss for the merchant. There is no confidentiality or availability impact indicated.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available. Users should monitor the vendor's advisory for updates. Until a patch is released, consider implementing additional server-side validation to ensure payment intent IDs are properly verified and avoid relying on PHP loose comparisons for critical payment verification logic.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-17T09:18:40.690Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f3499ecbff5d8610da76fb
Added to database: 4/30/2026, 12:22:54 PM
Last enriched: 4/30/2026, 12:36:21 PM
Last updated: 4/30/2026, 1:23:31 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.