Advertisement






WordPress ReDi Restaurant Reservation 21.0307 Cross Site Scripting

CVE Category Price Severity
CVE-2021-24299 CWE-79 Medium
Author Risk Exploitation Type Date
Exploit Alert Medium Remote 2021-05-25
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021050138

Below is a copy:

WordPress ReDi Restaurant Reservation 21.0307 Cross Site Scripting
# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)
# Date: 2021-05-10
# Exploit Author: Bastijn Ouwendijk
# Vendor Homepage: https://reservationdiary.eu/
# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/
# Version: 21.0307 and earlier
# Tested on: Windows 10
# CVE : CVE-2021-24299
# Proof: https://bastijnouwendijk.com/cve-2021-24299/

Steps to exploit this vulnerability:

1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information
2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert("XSS")</script>`
3. Submit the form
4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)
5. Click on 'View upcoming reservations'
6. Select for 'Show reservations for': 'This week'
7. The reservations are loaded and two alerts are shown with text 'XSS'

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum