GHSA-rg6f-xv76-vf59MediumCVSS 5.3
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing...
🔗 CVE IDs covered (1)
📋 Description
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration() function, accessible via the wp_ajax_nopriv_registration_action AJAX action, lacks any nonce verification or capability check, and does not check the WordPress users_can_register option before calling wp_insert_user(). This makes it possible for unauthenticated attackers to create new user accounts with the 'customer' role and receive authentication cookies, even when the site administrator has explicitly disabled user registration.
🔗 References (10)
- https://nvd.nist.gov/vuln/detail/CVE-2026-11802
- https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.6/inc/class-components-ajax.php#L18
- https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.6/inc/class-components-ajax.php#L21
- https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.6/inc/class-components-ajax.php#L68
- https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.6/inc/class-components-ajax.php#L86
- https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.7/inc/class-components-ajax.php#L39
- https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.7/inc/class-components-ajax.php#L67-L73
- https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.7/inc/helper-functions.php#L724-L725
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8b67557c-785f-433b-8e5b-fcc0bda14892?source=cve
- https://github.com/advisories/GHSA-rg6f-xv76-vf59