CVE-2026-6498

Name of the Vulnerable Software and Affected Versions Five Star Restaurant Reservations versions prior to 2.7.17

Description A payment bypass exists due to PHP type juggling, which occurs when a loose comparison is used between different data types, potentially leading to unexpected true results. The valid payment() function performs a loose comparison (==) between the payment id POST parameter and the stripe payment intent id property. An unauthenticated attacker can send a request to the 'rtb stripe pmt succeed' AJAX handler before a Stripe payment intent is created, leaving the stripe payment intent id as null. Because a blank payment id compared to null evaluates to true, attackers can mark any booking with a payment pending status as paid without completing the transaction.

Recommendations Update to a version later than 2.7.16. As a temporary workaround, restrict access to the 'rtb stripe pmt succeed' AJAX handler or avoid using the payment id parameter in unauthenticated requests until the update is applied.