WordPress Plugin Vulnerabilities

Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Stored XSS

Description

The plugin does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made

Proof of Concept

Affects Plugins

Plugin icon
ketchup-restaurant-reservations
No known fix

References

CVE
CVE-2022-2753

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Bastijn Ouwendijk
Submitter
Bastijn Ouwendijk
Submitter website
https://bastijnouwendijk.com/
Verified
Yes
WPVDB ID
3c6cc46e-e18a-4f34-ac09-f30ca74a1182

Timeline

Publicly Published
2022-09-06 (about 3 years ago)
Added
2022-09-06 (about 3 years ago)
Last Updated
2022-09-06 (about 3 years ago)

Other

Published
Title
Published
2024-10-21
Title
WP ERP < 1.13.3 - Reflected Cross-Site Scripting
Published
2025-01-03
Title
WP Compress – Instant Performance & Speed Optimization < 6.30.04 - Reflected Cross-Site Scripting via custom_server Parameter
Published
2024-04-24
Title
Shortcodes Ultimate < 7.1.2 - Contributor+ Stored XSS
Published
2015-04-14
Title
iThemes Security 3.0-4.6.12 – Stored Cross-Site Scripting (XSS)
Published
2016-08-03
Title
WordPress Landing Pages <= 2.2.4 - Reflected Cross-Site Scripting (XSS)