# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)  
# Date: 2021-05-10  
# Exploit Author: Bastijn Ouwendijk  
# Vendor Homepage:  
# Software Link:  
# Version: 21.0307 and earlier  
# Tested on: Windows 10  
# CVE : CVE-2021-24299  
# Proof:  
Steps to exploit this vulnerability:  
1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information  
2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert("XSS")</script>`  
3. Submit the form  
4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)  
5. Click on 'View upcoming reservations'  
6. Select for 'Show reservations for': 'This week'  
7. The reservations are loaded and two alerts are shown with text 'XSS'