An exploitable bug in the WordPress plugin ReDi Restaurant Reservation can allow unauthenticated attackers to steal reservation data and personal information.
This WordPress plugin provides a restaurant reservation system that lets customers make and edit reservations. The website administrator can view a list of all reservations made by the plugin. Furthermore, the plugin provides the website owner access to an external website to view and edit all reservations that day from a tablet.
An attacker could exploit the bug to, for example, steal the plug-in API key and possibly steal reservation data from customers, cookies, or steal other sensitive information, etc.
Researchers alerted Catz Soft, the developers of the plugin, on April 15. On April 25, the fix was released.
Plugin versions before 21.0307 are affected, and a patched version (21.0426) is available for download. Cross-site scripting (XSS) is the cause of the vulnerability. However, the flaw has not yet been rated.
If you’re using this plugin, We strongly recommend you update to the latest version as soon as possible.