Unprotected Cross-Site Scripting Vulnerability in Reservation plugin for WordPress
CVE-2024-9240

6.1MEDIUM

Key Information:

Vendor: Thecatkin
Status: Redi Restaurant Reservation
Vendor: CVE Published:; 17 October 2024

Summary

The ReDi Restaurant Reservation plugin for WordPress exhibits a vulnerability related to Reflected Cross-Site Scripting due to inadequate escaping when using the add_query_arg function. This vulnerability allows unauthenticated attackers to manipulate URLs and inject arbitrary scripts into web pages. When victims execute actions, such as clicking on a malicious link, the injected scripts can be triggered, facilitating potential exploitation. Users of the ReDi plugin are advised to review their implementation and apply necessary security measures to mitigate risks associated with this vulnerability.

Affected Version(s)

ReDi Restaurant Reservation * <= 24.0902

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/redi-restauran...

https://plugins.trac.wordpress.org/changeset/3167881/redi...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 17, 2024
Vulnerability Reserved
Sep 26, 2024

Credit

Dale Mavers