CVE-2022-0421

Name of the Vulnerable Software and Affected Versions Five Star Restaurant Reservations WordPress plugin versions prior to 2.4.12

Description The issue allows unauthenticated users to change the payment status of arbitrary bookings due to a lack of authorization. Additionally, it enables attackers to perform Cross-Site Scripting attacks against logged-in admins viewing failed payments because of insufficient sanitization and escaping.

Recommendations For versions prior to 2.4.12, update to version 2.4.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the payment status change functionality until the update is applied. Avoid using the plugin's payment management features with untrusted users until the issue is resolved.