CVE-2021-24299
MEDIUMCatzsoft Redi Restaurant Reservation < 21.0426 - XSS
Title source: ruleDescription
The ReDi Restaurant Reservation WordPress plugin before 21.0426 provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.
Exploits (1)
exploitdb
WORKING POC
by Bastijn Ouwendijk · textwebappsphp
https://www.exploit-db.com/exploits/49903
Scores
CVSS v3
6.1
EPSS
0.0034
EPSS Percentile
57.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
catzsoft/redi_restaurant_reservation
< 21.0426
Published
May 17, 2021
Tracked Since
Feb 18, 2026