GCVE - cpe:2.3:a:alexreservations:alex_reservations:_smart_restaurant

Approved changes feed: RSS · Atom

cpe:2.3:a:alexreservations:alex_reservations:_smart_restaurant_booking:*:*:*:*:*:*:*:*

part: a version: _smart_restaurant_booking update: *

Vendor	Alexreservations (`7ebefa46-4da2-5057-a75b-dd84aaff4a69`)
Product	Alex Reservations (`b2e45cd8-66c1-54f0-8993-99dbc5c49a82`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-12399`	vulnerable	2026-06-08 07:04:30.172136	Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload HIGH (7.2) The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Published: 2025-11-08T09:28:11.905Z Updated: 2026-04-08T17:32:42.863Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/f2d97646-27a8-4302-be70-7b4fb1a12300?source=cve https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L11 https://github.com/d0n601/CVE-2025-12399 https://ryankozak.com/posts/cve-2025-12399/ https://plugins.trac.wordpress.org/changeset/3390614/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-13380`	vulnerable	2026-06-08 06:25:37.567098	Alex Reservations: Smart Restaurant Booking <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode MEDIUM (6.4) The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rr_form' shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2025-01-30T12:22:27.235Z Updated: 2026-04-08T17:05:34.983Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/89ddede9-3170-48bb-aae5-14f915330f67?source=cve https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/shortcodes.php#L14 https://plugins.trac.wordpress.org/changeset/3229743/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Alex Reservations

PURL mappings

Vulnerability references

Contribute