Bastijn Ouwendijk

**Name of the Vulnerable Software and Affected Versions** The Ketchup Restaurant Reservations WordPress plugin versions 1.0.0 and earlier **Description** The issue allows unauthenticated attackers to perform Cross-Site Scripting attacks when a logged-in admin views a malicious reservation made through the plugin. This is due to the plugin not sanitizing and escaping some of the reservation user inputs. **Recommendations** For The Ketchup Restaurant Reservations WordPress plugin version 1.0.0 and earlier, consider updating to a newer version that addresses this issue, as the current version does not properly sanitize user inputs, leading to potential Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Ketchup Restaurant Reservations WordPress plugin version 1.0.0 **Description** The issue is related to the lack of validation and escaping of some reservation parameters before using them in SQL statements. This could allow unauthenticated attackers to perform SQL Injection attacks. **Recommendations** For version 1.0.0, consider updating to a newer version that addresses this issue, as the current version does not properly validate and escape reservation parameters, making it susceptible to SQL Injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Prayer WordPress plugin versions prior to 1.6.2 **Description** The WP Prayer WordPress plugin provides functionality to store and list prayer/praise requests on a WordPress website. An authenticated WordPress user can fill in a form to request a prayer, which has several fields. The `prayer request` and `praise request` fields do not use proper input validation, allowing them to be used to store XSS payloads. **Recommendations** For WP Prayer WordPress plugin versions prior to 1.6.2, update to version 1.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the prayer request form to minimize the risk of exploitation. Avoid using the `prayer request` and `praise request` fields in the affected form until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ReDi Restaurant Reservation WordPress plugin versions prior to 21.0426 **Description** The issue concerns a lack of proper input validation in the 'Comment' field of the restaurant reservation form, allowing an unauthenticated user to store XSS payloads. These payloads are executed when a plugin user visits the 'Upcoming' page, which loads an external website https://upcoming.reservationdiary.eu/ in an iframe, and the stored reservation with the XSS payload is loaded. **Recommendations** For versions prior to 21.0426, update to version 21.0426 or later to resolve the issue. As a temporary workaround, consider disabling the 'Comment' field in the reservation form until a patch is available. Restrict access to the 'Upcoming' page to minimize the risk of exploitation. Avoid using the 'Comment' field in the affected reservation form until the issue is resolved.