PT-2026-57951 · Themelooks · Foodbook Lite – Online Food Ordering System

Eason

·

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-11802

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration() function, accessible via the wp ajax nopriv registration action AJAX action, lacks any nonce verification or capability check, and does not check the WordPress users can register option before calling wp insert user(). This makes it possible for unauthenticated attackers to create new user accounts with the 'customer' role and receive authentication cookies, even when the site administrator has explicitly disabled user registration.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-11802

Affected Products

Foodbook Lite – Online Food Ordering System