ReDi Restaurant Reservations < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description
The ReDi Restaurant Reservations plugin provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.
Proof of Concept
Steps to reproduce the vulnerability:
1. Install ReDi Restaurant Reservation 21.0307 and create a page with [redirestaurant]
2. Go to the page while being logged out of WordPress
3. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information
4. In the 'Comment' field put the following code: <script>alert("XSS")</script>
5. Submit the form
6. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)
7. Click on 'View upcoming reservations'
8. Select for 'Show reservations for': 'This week'
9. The reservations are loaded and two alerts are shown with text 'XSS' Affects Plugins
Fixed in version 21.0426✓
Classification
Miscellaneous
Original Researcher
Bastijn Ouwendijk
Submitter
Bastijn Ouwendijk
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-05-09 (about 8 months ago)
Added
2021-05-09 (about 8 months ago)
Last Updated
2021-06-25 (about 7 months ago)