Five Star Restaurant Reservations < 2.4.8 - Subscriber+ Stored Cross-Site Scripting
CVE-2021-24965

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Five Star Restaurant Reservations – WordPress Booking Plugin
Vendor: CVE Published:; 24 January 2022

Summary

The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins

Affected Version(s)

Five Star Restaurant Reservations – WordPress Booking Plugin 2.4.8

References

https://wpscan.com/vulnerability/306ecf09-fdf0-449c-930c-...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 24, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

Krzysztof Zając