cleantalk
Vulnerabilities and Security Researches

ReDi Restaurant Reservation, CVE-2021-24299

CVE, Research URL

CVE-2021-24299

Home page URL

Security reports for ReDi Restaurant Reservation

Application

ReDi Restaurant Reservation

Published on
May 17, 2021
Research Description
The ReDi Restaurant Reservation WordPress plugin before 21.0426 provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.
Affected versions
Min -, max 21.0426.
Status
vulnerable
Previous vulnerability researches
ReDi Restaurant Reservation (CVE-2021-24299) , Jun 07, 2024
ReDi Restaurant Reservation (CVE-2024-31385) , Jun 07, 2024
ReDi Restaurant Reservation (CVE-2024-29806) , Jun 07, 2024
ReDi Restaurant Reservation (CVE-2024-31299) , Jun 07, 2024
ReDi Restaurant Reservation (CVE-2024-9240) , Oct 18, 2024
New vulnerability
Post Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post Slider (CVE-2025-4567) , Jun 06, 2025
Popup Maker – Popup for opt-ins, lead gen, & more (CVE-2025-4205) , Jun 06, 2025
MaxiBlocks Free Page Builder & Template Library (CVE-2025-47601) , Jun 06, 2025
MetalpriceAPI (CVE-2025-48140) , Jun 05, 2025
Broken Link Checker (CVE-2025-4047) , Jun 05, 2025