CVE-2026-42670: WordPress Five Star Restaurant Reservations plugin <= 2.7.14 - Payment Bypass vulnerability
Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An authorization bypass vulnerability exists in the Five Star Restaurant Reservations WordPress plugin, affecting all versions through 2.7.14. The flaw is reachable over the network with no authentication required, meaning any remote visitor can send a crafted request to the affected endpoint. Successful exploitation allows an attacker to read protected reservation or payment data without going through the intended authorization checks. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-42670 is available across every HarborGuard environment, with ingestion from upstream feeds including Patchstack occurring within minutes of publication and matching performed against all customer images, including custom-built WordPress images that bundle this plugin.
AvailableHarborGuard scores this CVE at CVSS 7.5 HIGH and makes that rating available alongside per-environment compliance policy weighting, routing findings to the appropriate team inbox within each customer organization.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Etoile Web Design Incorporated ships a remediated release. Until then, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing the affected plugin versions.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress instance to exploit it.
- AuthenticationNot required
No account or session credential of any kind is needed; the vulnerability is exploitable by any unauthenticated remote party.
- Victim interactionNot required
The attacker sends a direct request to the affected endpoint and does not need any user to take any action.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental setup.
Blast Radius
- An attacker can read reservation records, which may include guest names, contact details, party size, and booking times.
- Payment-related data stored or referenced in the plugin's reservation flow is exposed, which may include transaction identifiers or payment status fields.
- No write access or service disruption is implied by this vulnerability; the attacker gains read access only.
How HarborGuard Handles This
Available on HarborGuard: because no fix version exists for CVE-2026-42670 as of the publication date, the platform monitors the Patchstack advisory on every ingest cycle and will automatically surface a patched-image rebuild the moment version 2.7.15 or later is released upstream. In the interim, customers can use HarborGuard's network policy controls to recommend restricting public access to the affected plugin's reservation endpoints, apply egress filtering on containers running this plugin, and configure compliance policies to flag or block promotion of images containing Five Star Restaurant Reservations at or below version 2.7.14 through staging and production pipelines. For customers with auto-remediation enabled, a rebuilt image and a PR opened against affected workloads will be generated automatically once a fixed version is available upstream.
- Etoile Web Design Incorporated / Five Star Restaurant Reservations≤ 2.7.14
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N