Payment Bypass in Five Star Restaurant Reservations Plugin for WordPress
CVE-2026-6498

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Five Star Restaurant Reservations – WordPress Booking Plugin
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-6498?

The Five Star Restaurant Reservations plugin for WordPress is susceptible to a payment bypass vulnerability due to PHP type juggling. This issue arises in versions up to 2.7.16, where the valid_payment() function erroneously employs a loose comparison using the payment_id POST parameter against the booking's stripe_payment_intent_id property. An attacker can exploit this by triggering a request to the nopriv AJAX handler rtb_stripe_pmt_succeed prior to the creation of a Stripe payment intent. Consequently, if the payment_id is submitted as an empty string, the loose comparison evaluates to TRUE, allowing unauthorized users to falsely mark bookings as paid without completing the actual transaction.

Affected Version(s)

Five Star Restaurant Reservations – WordPress Booking Plugin 0 <= 2.7.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/restaurant-res...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

David Fernández Morilla

CVE-2026-6498 Data

JSON