A high-severity vulnerability has been discovered in the Alex Reservations: Smart Restaurant Booking plugin for WordPress. This flaw allows an unauthenticated attacker to upload malicious files to a vulnerable website, which could lead to a complete compromise of the site, data theft, and further attacks originating from the server. Organizations using this plugin should prioritize applying the recommended updates to mitigate the risk of exploitation.

The vulnerability is an arbitrary file upload due to improper validation of file types. The plugin exposes a REST API endpoint at /wp-json/srr/v1/app/upload/file that does not check the extension or content of the files being uploaded. An unauthenticated attacker can send a crafted request to this endpoint to upload a malicious script, such as a PHP web shell, to the server. Once the malicious file is on the server, the attacker can access it via a web browser to execute arbitrary code with the permissions of the web server process, leading to a full system compromise.

This vulnerability is rated as High severity with a CVSS score of 7.2. A successful exploit could have significant business impacts, including unauthorized access to sensitive data such as customer information, payment details, and intellectual property. An attacker could deface the website, disrupt business operations, install malware, or use the compromised server as a pivot point to launch further attacks against the internal network or other external targets. The resulting reputational damage and potential regulatory fines for data breaches pose a serious financial and operational risk to the organization.

Immediate Action: All instances of the "Alex Reservations: Smart Restaurant Booking" plugin with a version of 2 or below must be updated immediately to the latest patched version provided by the vendor. If an update is not available or the plugin is not essential for business operations, it should be disabled and removed to eliminate the attack surface.

Proactive Monitoring: Security teams should monitor web server access logs for any POST requests to the /wp-json/srr/v1/app/upload/file endpoint. Additionally, file integrity monitoring (FIM) should be used to scan web-accessible directories (e.g., wp-content/uploads/) for suspicious or newly created executable files (e.g., .php, .phtml).

Compensating Controls: If patching cannot be performed immediately, a Web Application Firewall (WAF) should be configured to block access to the vulnerable REST endpoint. Additionally, server permissions can be hardened to prevent the execution of scripts from the uploads directory.

Public Exploit Available: False

Given the high severity of this vulnerability (CVSS 7.2) and the potential for a complete server compromise, it is strongly recommended that organizations take immediate action. The affected plugin must be patched or removed from all WordPress sites within the next 72 hours. Although this CVE is not currently on the CISA KEV list, the ease of exploitation and high potential impact warrant urgent attention to prevent a security breach.