Platform
wordpress
Component
restaurant-reservations
Fixed in
2.7.9
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Five Star Restaurant Reservations plugin for WordPress. This flaw allows an attacker to trick an authenticated user into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions within the restaurant reservation system. Versions 0.0.0 through 2.7.8 are affected, and a patch is available in version 2.7.9.
The CSRF vulnerability in Five Star Restaurant Reservations allows an attacker to execute actions as a logged-in user. This could include creating, modifying, or deleting reservations, changing user roles, or accessing sensitive data. Successful exploitation requires the victim to be logged into the WordPress site and visit a malicious webpage crafted by the attacker. The impact is amplified if the attacker can target users with administrative privileges, potentially granting them full control over the reservation system. While no specific real-world exploitation has been publicly reported, CSRF vulnerabilities are commonly exploited in WordPress plugins.
CVE-2025-68601 was publicly disclosed on December 24, 2025. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. The medium CVSS score indicates a moderate risk, suggesting that exploitation is possible but not highly probable without significant effort.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68601 is to upgrade the Five Star Restaurant Reservations plugin to version 2.7.9 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all user input is properly validated and sanitized to prevent malicious code injection. Implement a Content Security Policy (CSP) to restrict the sources from which the browser can load resources, further reducing the attack surface. After upgrading, verify the fix by attempting to submit a reservation request from a different browser or incognito window to ensure CSRF protection is active.
Update to version 2.7.9, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68601 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–2.7.8 of the Five Star Restaurant Reservations plugin, allowing attackers to perform actions as authenticated users.
You are affected if you are using Five Star Restaurant Reservations version 0.0.0 through 2.7.8. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Five Star Restaurant Reservations plugin to version 2.7.9 or later. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.