Five Star Restaurant Reservations Payment Bypass Vulnerability via PHP Type Juggling

A vulnerability in the Five Star Restaurant Reservations plugin for WordPress, affecting versions through 2.7.16, allows for payment bypass through PHP type juggling. The issue arises in the valid_payment() function, which uses loose comparison to evaluate the payment_id POST parameter against the booking's stripe_payment_intent_id. An unauthenticated attacker can exploit this by sending a request to the nopriv AJAX handler rtb_stripe_pmt_succeed before a Stripe payment intent has been created for a booking. This exploitation takes advantage of the fact that the stripe_payment_intent_id is null at that time. The loose comparison treats an empty payment_id as valid, allowing the attacker to falsely mark a booking as paid without completing an actual payment.

Impact

Exploitation of this vulnerability allows unauthenticated users to bypass payment verification, falsely marking bookings as paid without completing a Stripe payment.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a request to the rtb_stripe_pmt_succeed AJAX handler with an empty payment_id parameter. This request must be made before a Stripe payment intent has been created for the booking, which can be determined by the absence of an intent ID in the booking's post meta.

Remediation

Users are advised to update the Five Star Restaurant Reservations plugin to version 2.7.17 or later.