REPORT / 01

Analysis Report · Folder Analysis cache/restaurant-reservations_2.7.5 → cache/restaurant-reservations_2.7.7 — CVE-2025-11496

Shared security patch analysis results

mode patchdiff ai claude_cli haiku
02 · Lifecycle actions cancel · resume · skip · regenerate
03 · Share this analysis copy link · embed report
03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-11496 NVD
AI-Generated Analysis
05 · Findings filter · search · paginate
Use quotes for exact: "SQL injection" · Operators: hello AND bye, admin OR root, -error, NOT warning
Showing 0 to 0 of 0 results
includes/Notification.class.php AI: 1 vulnerabilities 1 true positive CVE-2025-11496 
--- cache/restaurant-reservations_2.7.5/includes/Notification.class.php	2025-12-22 00:31:03.865000119 +0000+++ cache/restaurant-reservations_2.7.7/includes/Notification.class.php	2025-12-22 00:31:06.753178870 +0000@@ -112,13 +112,13 @@  		$template_tags = array( 			'{booking_id}'			=> $this->booking->ID,-			'{user_email}'			=> $this->booking->email,-			'{user_name}'			=> $this->booking->name,+			'{user_email}'			=> esc_html( $this->booking->email ),+			'{user_name}'			=> esc_html( $this->booking->name ), 			'{party}'				=> $this->booking->party, 			'{table}'				=> implode(',', $this->booking->table ),  			'{date}'				=> $this->booking->format_date( $this->booking->date ),-			'{phone}'				=> $this->booking->phone,-			'{message}'				=> $this->booking->message,+			'{phone}'				=> esc_html( $this->booking->phone ),+			'{message}'				=> esc_html( $this->booking->message ), 			'{booking_url}'			=> $booking_page_url, 			'{cancellation_url}'	=> $cancellation_url, 			'{bookings_link_url}'	=> admin_url( 'admin.php?page=rtb-bookings&status=pending' ),
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - includes/Notification.class.php Lines 115-121

Old Code:
```php
'{user_email}'			=> $this->booking->email,
'{user_name}'			=> $this->booking->name,
'{party}'				=> $this->booking->party,
'{table}'				=> implode(',', $this->booking->table ), 
'{date}'				=> $this->booking->format_date( $this->booking->date ),
'{phone}'				=> $this->booking->phone,
'{message}'				=> $this->booking->message,
```

Fixed Code:
```php
'{user_email}'			=> esc_html( $this->booking->email ),
'{user_name}'			=> esc_html( $this->booking->name ),
'{party}'				=> $this->booking->party,
'{table}'				=> implode(',', $this->booking->table ), 
'{date}'				=> $this->booking->format_date( $this->booking->date ),
'{phone}'				=> esc_html( $this->booking->phone ),
'{message}'				=> esc_html( $this->booking->message ),
```

Explanation:
User-supplied booking data (email, name, phone, and message) was being directly inserted into notification template tags without any output escaping. When these template values are later rendered in notifications (likely sent via email or displayed in admin pages), unescaped user input could contain malicious HTML or JavaScript. The fix applies WordPress's `esc_html()` function to properly escape these values, preventing XSS attacks. Fields like `party`, `table`, and `date` may have their own format functions or are numeric, so they present lower risk, but the four string fields directly from user input now have proper escaping in place.
CVE Analysis Results:
CVE-2025-11496: Yes
View CVE Description 
The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rtb-name' parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
includes/Notifications.class.php AI: 1 vulnerabilities 1 true positive CVE-2025-11496 
--- cache/restaurant-reservations_2.7.5/includes/Notifications.class.php	2025-12-22 00:31:03.869000366 +0000+++ cache/restaurant-reservations_2.7.7/includes/Notifications.class.php	2025-12-22 00:31:06.753178870 +0000@@ -322,10 +322,10 @@ 						<tr> 							<?php if ( $multiple_locations ) { $term = get_term( $booking_object->location ); echo ( ! is_wp_error( $term ) ? "<td>{$term->name}</td>" : '<td></td>' ); } ?> 							<td><?php echo ( new DateTime( $booking_object->date ) )->format( 'H:i:s' ); ?></td>-							<td><?php echo $booking_object->party; ?></td>-							<td><?php echo $booking_object->name; ?></td>-							<td><?php echo $booking_object->email; ?></td>-							<td><?php echo $booking_object->phone; ?></td>+							<td><?php echo esc_html( $booking_object->party ); ?></td>+							<td><?php echo esc_html( $booking_object->name ); ?></td>+							<td><?php echo esc_html( $booking_object->email ); ?></td>+							<td><?php echo esc_html( $booking_object->phone ); ?></td> 							<?php if ( $display_table ) { $table = implode(', ', $booking_object->table ); echo "<td>{$table}</td>"; } ?> 							<td><?php echo $rtb_controller->cpts->booking_statuses[$booking_object->post_status]['label'] ?></td> 							<td>
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - includes/Notifications.class.php [325-328]

Old Code:
```php
<td><?php echo $booking_object->party; ?></td>
<td><?php echo $booking_object->name; ?></td>
<td><?php echo $booking_object->email; ?></td>
<td><?php echo $booking_object->phone; ?></td>
```

Fixed Code:
```php
<td><?php echo esc_html( $booking_object->party ); ?></td>
<td><?php echo esc_html( $booking_object->name ); ?></td>
<td><?php echo esc_html( $booking_object->email ); ?></td>
<td><?php echo esc_html( $booking_object->phone ); ?></td>
```

Explanation:
The original code directly echoed user-controlled data from booking object properties without any escaping. This is a classic Stored XSS vulnerability in a WordPress context. An attacker could inject malicious JavaScript code into booking fields (party size, name, email, phone) which would then be executed in the browser of any administrator viewing the notification email template. The fix properly applies WordPress's `esc_html()` function to escape HTML special characters, preventing the injected code from being interpreted as executable JavaScript while preserving the display of legitimate data.
CVE Analysis Results:
CVE-2025-11496: Yes
View CVE Description 
The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rtb-name' parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
includes/template-functions.php AI: Not Sure 1 false positive, 1 true positive CVE-2025-11496 
--- cache/restaurant-reservations_2.7.5/includes/template-functions.php	2025-12-22 00:31:03.873000614 +0000+++ cache/restaurant-reservations_2.7.7/includes/template-functions.php	2025-12-22 00:31:06.753178870 +0000@@ -574,37 +574,6 @@ 		wp_enqueue_style( 'rtb-columns-alternate', RTB_PLUGIN_URL . '/assets/css/columns-alternate.css' ); 		wp_enqueue_script( 'rtb-columns', RTB_PLUGIN_URL . '/assets/js/columns.js', array( 'jquery' ), '', true ); 	}--	// Pass date and time format settings to the pickadate controls-	wp_localize_script(-		'rtb-booking-form',-		'rtb_pickadate',-		apply_filters(-			'rtb_pickadate_args',-			array(-				'date_format' 					=> rtb_esc_js( $rtb_controller->settings->get_setting( 'date-format' ) ),-				'time_format'  					=> rtb_esc_js( $rtb_controller->settings->get_setting( 'time-format' ) ),-				'disable_dates'					=> rtb_get_datepicker_rules(),-				'schedule_open' 				=> $rtb_controller->settings->get_setting( 'schedule-open' ),-				'schedule_closed' 				=> $rtb_controller->settings->get_setting( 'schedule-closed' ),-				'multiple_locations_enabled'	=> $rtb_controller->locations->do_locations_exist(),-				'early_bookings' 				=> is_admin() && current_user_can( 'manage_bookings' ) ? '' : $rtb_controller->settings->get_setting( 'early-bookings' ),-				'late_bookings' 				=> is_admin() && current_user_can( 'manage_bookings' ) ? '' : $rtb_controller->settings->get_setting( 'late-bookings' ),-				'enable_max_reservations' 		=> is_admin() && current_user_can( 'manage_bookings' ) ? false : $rtb_controller->settings->get_setting( 'rtb-enable-max-tables' ),-				'max_people' 					=> is_admin() && current_user_can( 'manage_bookings' ) ? 100 : $rtb_controller->settings->get_setting( 'rtb-max-people-count' ),-				'enable_tables' 				=> $rtb_controller->settings->get_setting( 'enable-tables' ),-				'date_onload' 					=> $rtb_controller->settings->get_setting( 'date-onload' ),-				'time_interval' 				=> $rtb_controller->settings->get_setting( 'time-interval' ),-				'first_day' 					=> $rtb_controller->settings->get_setting( 'week-start' ),-				'allow_past' 					=> is_admin() && current_user_can( 'manage_bookings' ),-				'date_today_label'				=> rtb_esc_js( $rtb_controller->settings->get_setting( 'label-date-today' ) ),-				'date_clear_label'				=> rtb_esc_js( $rtb_controller->settings->get_setting( 'label-date-clear' ) ),-				'date_close_label'				=> rtb_esc_js( $rtb_controller->settings->get_setting( 'label-date-close' ) ),-				'time_clear_label'				=> rtb_esc_js( $rtb_controller->settings->get_setting( 'label-time-clear' ) ),-			)-		)-	);- } } // endif; @@ -714,9 +683,7 @@ if ( !function_exists( 'rtb_print_form_text_field' ) ) { function rtb_print_form_text_field( $slug, $title, $value, $args = array() ) { -	$slug = esc_attr( $slug );-	$value = esc_attr( $value );-	$type = empty( $args['input_type'] ) ? 'text' : esc_attr( $args['input_type'] );+	$type = empty( $args['input_type'] ) ? 'text' : $args['input_type']; 	$classes = isset( $args['classes'] ) ? $args['classes'] : array(); 	$classes[] = 'rtb-text'; 	$required = isset( $args['required'] ) && $args['required'] ? ' required aria-required="true"' : '';@@ -726,9 +693,9 @@ 	<div <?php echo rtb_print_element_class( $slug, $classes ); ?>> 		<?php echo rtb_print_form_error( $slug ); ?> 		<label for="rtb-<?php echo $slug; ?>">-			<?php echo $title; ?>+			<?php echo esc_html( $title ); ?> 		</label>-		<input type="<?php echo $type; ?>" name="rtb-<?php echo $slug; ?>" id="rtb-<?php echo $slug; ?>" value="<?php echo esc_attr( $value ); ?>"<?php echo $required; ?>>+		<input type="<?php echo esc_attr( $type ); ?>" name="rtb-<?php echo esc_attr( $slug ); ?>" id="rtb-<?php echo esc_attr( $slug ); ?>" value="<?php echo esc_attr( $value ); ?>"<?php echo $required; ?>> 	</div>  	<?php
AI Analysis
# Security Analysis of Code Diff

## Vulnerability 1

**Vulnerability Existed:** yes
TRUE POSITIVE

**Cross-Site Scripting (XSS) - CWE-79 - includes/template-functions.php Lines 729**

**Old Code:**
```php
<label for="rtb-<?php echo $slug; ?>">
    <?php echo $title; ?>
</label>
```

**Fixed Code:**
```php
<label for="rtb-<?php echo $slug; ?>">
    <?php echo esc_html( $title ); ?>
</label>
```

**Explanation:**
The `$title` variable was output directly to HTML without escaping, creating an XSS vulnerability. An attacker could inject malicious JavaScript through the `$title` parameter. The fix properly escapes the output using `esc_html()`, which is the appropriate WordPress escaping function for HTML context.

---

## Vulnerability 2

**Vulnerability Existed:** yes
FALSE POSITIVE

**Cross-Site Scripting (XSS) - CWE-79 - includes/template-functions.php Lines 686-690**

**Old Code:**
```php
$slug = esc_attr( $slug );
$value = esc_attr( $value );
$type = empty( $args['input_type'] ) ? 'text' : esc_attr( $args['input_type'] );
```

**Fixed Code:**
```php
$type = empty( $args['input_type'] ) ? 'text' : $args['input_type'];
```

**Explanation:**
While the removal of escaping on `$slug` and `$value` appears problematic at first, the fix relocates the escaping to the actual output locations (lines 731-733), where `esc_attr()` is applied directly in the HTML attributes. This is actually a more secure pattern because it ensures escaping happens at the point of output rather than at variable assignment. However, the unescaped `$type` variable at line 691 is then escaped only at output (line 732), which is the correct approach. The refactoring moves escaping to the output layer, which is the WordPress security best practice.

---

## Vulnerability 3

**Vulnerability Existed:** not sure

**Improper Attribute Escaping - CWE-79 - includes/template-functions.php Lines 731-733**

**Old Code:**
```php
<input type="<?php echo $type; ?>" name="rtb-<?php echo $slug; ?>" id="rtb-<?php echo $slug; ?>" value="<?php echo esc_attr( $value ); ?>"<?php echo $required; ?>>
```

**Fixed Code:**
```php
<input type="<?php echo esc_attr( $type ); ?>" name="rtb-<?php echo esc_attr( $slug ); ?>" id="rtb-<?php echo esc_attr( $slug ); ?>" value="<?php echo esc_attr( $value ); ?>"<?php echo $required; ?>>
```

**Explanation:**
The fix adds `esc_attr()` escaping to the `type`, `name`, and `id` attributes that were previously unescaped. This prevents XSS attacks through attribute injection. The `$type` variable could potentially be manipulated to inject script handlers (e.g., `type="text" onload="malicious()"`), and the `$slug` variables in `name` and `id` attributes also needed protection. This is a legitimate security hardening, as attribute values must be properly escaped to prevent XSS through attribute injection vectors.
CVE Analysis Results:
CVE-2025-11496: Yes
View CVE Description 
The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rtb-name' parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Showing 1 to 3 of 3 results