The ReDi Restaurant Reservation WordPress plugin before 21.0426 provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.
Published 2021-05-17 17:15:08
Updated 2021-05-24 19:16:57
Source WPScan
View at NVD,   CVE.org
Vulnerability category: Cross site scripting (XSS)

Exploit prediction scoring system (EPSS) score for CVE-2021-24299

0.09%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 36 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-24299

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
4.3
MEDIUM AV:N/AC:M/Au:N/C:N/I:P/A:N
8.6
2.9
NIST
6.1
MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2.8
2.7
NIST

CWE ids for CVE-2021-24299

References for CVE-2021-24299

Products affected by CVE-2021-24299

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!