CVE-2021-24299

Name of the Vulnerable Software and Affected Versions ReDi Restaurant Reservation WordPress plugin versions prior to 21.0426

Description The issue concerns a lack of proper input validation in the 'Comment' field of the restaurant reservation form, allowing an unauthenticated user to store XSS payloads. These payloads are executed when a plugin user visits the 'Upcoming' page, which loads an external website https://upcoming.reservationdiary.eu/ in an iframe, and the stored reservation with the XSS payload is loaded.

Recommendations For versions prior to 21.0426, update to version 21.0426 or later to resolve the issue. As a temporary workaround, consider disabling the 'Comment' field in the reservation form until a patch is available. Restrict access to the 'Upcoming' page to minimize the risk of exploitation. Avoid using the 'Comment' field in the affected reservation form until the issue is resolved.