CVE-2026-27436
Rustaurius · Five Star Business Profile and Schema
An arbitrary code execution vulnerability exists in Rustaurius Five Star Business Profile and Schema versions 2.3.19 and earlier, exploitable by authenticated users with Editor capabilities.
Executive summary
A critical arbitrary code execution vulnerability in Rustaurius Five Star Business Profile and Schema allows authenticated Editors to gain unauthorized control over the host system.
Vulnerability
This vulnerability enables authenticated attackers with 'Editor' privileges to execute arbitrary code on the underlying server. The flaw stems from insufficient input validation, allowing malicious files or commands to be processed by the server-side application.
Business impact
The ability for an authenticated user to execute arbitrary code leads to a total compromise of the application and potentially the underlying web server. With a CVSS score of 9.1, this represents a severe risk of lateral movement, privilege escalation, and persistent backend access that could lead to complete system takeover.
Remediation
Immediate Action: Update the Rustaurius Five Star Business Profile and Schema plugin to the latest version immediately to patch the code execution vector.
Proactive Monitoring: Audit user activity logs to identify any unauthorized or suspicious actions performed by accounts with Editor-level privileges.
Compensating Controls: Restrict or audit the permissions of all accounts with 'Editor' roles and ensure that file upload restrictions are strictly enforced at the server level.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of this arbitrary code execution flaw, organizations must treat this as a high-priority update. Promptly applying the vendor-provided patch is the only effective way to mitigate the risk of full system compromise via elevated user accounts.