The ReDi Restaurant Reservations plugin provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.
Proof of Concept
Steps to reproduce the vulnerability:
1. Install ReDi Restaurant Reservation 21.0307 and create a page with [redirestaurant]
2. Go to the page while being logged out of WordPress
3. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information
4. In the 'Comment' field put the following code: <script>alert("XSS")</script>
5. Submit the form
6. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)
7. Click on 'View upcoming reservations'
8. Select for 'Show reservations for': 'This week'
9. The reservations are loaded and two alerts are shown with text 'XSS'