WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

ReDi Restaurant Reservations < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The ReDi Restaurant Reservations plugin provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.

Proof of Concept

Steps to reproduce the vulnerability:

1. Install ReDi Restaurant Reservation 21.0307 and create a page with [redirestaurant]
2. Go to the page while being logged out of WordPress 
3. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information
4. In the 'Comment' field put the following code: <script>alert("XSS")</script>
5. Submit the form
6. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)
7. Click on 'View upcoming reservations'
8. Select for 'Show reservations for': 'This week'
9. The reservations are loaded and two alerts are shown with text 'XSS' 

Affects Plugins

redi-restaurant-reservation
Fixed in version 21.0426

References

CVE
CVE-2021-24299
URL
https://packetstormsecurity.com/files/162756/
URL
https://bastijnouwendijk.com/cve-2021-24299/

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Bastijn Ouwendijk

Submitter

Bastijn Ouwendijk

Submitter website
https://bastijnouwendijk.com
Verified

Yes

WPVDB ID
fd6ce00b-8c5f-4180-b648-f47b37303670

Timeline

Publicly Published

2021-05-09 (about 1 years ago)

Added

2021-05-09 (about 1 years ago)

Last Updated

2021-06-25 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us