Steps to reproduce the vulnerability:

1. Install ReDi Restaurant Reservation 21.0307 and create a page with [redirestaurant]
2. Go to the page while being logged out of WordPress 
3. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information
4. In the 'Comment' field put the following code: <script>alert("XSS")</script>
5. Submit the form
6. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)
7. Click on 'View upcoming reservations'
8. Select for 'Show reservations for': 'This week'
9. The reservations are loaded and two alerts are shown with text 'XSS'