CVE-2026-11802
FoodBook Lite <= 1.5.6 - Missing Authorization to Unauthenticated User Registration via 'registration_action' AJAX Action
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration() function, accessible via the wp_ajax_nopriv_registration_action AJAX action, lacks any nonce verification or capability check, and does not check the WordPress users_can_register option before calling wp_insert_user(). This makes it possible for unauthenticated attackers to create new user accounts with the 'customer' role and receive authentication cookies, even when the site administrator has explicitly disabled user registration.
| CWE | CWE-862 |
| Vendor | themelooks |
| Product | foodbook lite – online food ordering system |
| Published | Jul 14, 2026 |
| Last Updated | Jul 15, 2026 |
Get instant alerts for themelooks foodbook lite – online food ordering system
Be the first to know when new medium vulnerabilities affecting themelooks foodbook lite – online food ordering system are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N