Quote:An easy-to-exploit bug impacting the WordPress plugin ReDi Restaurant Reservation allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information by simply submitting a malicious snippet of JavaScript code into the reservation comment field.
 
The bug affects ReDi Restaurant Reservation versions prior to 21.0307, with a patched (v. 21.0426) version of the plugin available for download. The vulnerability (CVE-2021-24299) is a persistent cross-site scripting (XSS) bug. The flaw is not yet rated.
 
A public proof-of-concept disclosure of the ReDi bug was released Sunday with the official public disclosure delayed a month “due to the severity of the vulnerability,” according to Bastijn Ouwendijk, credited for finding the bug. The researcher alerted the makers of the plugin, Catz Soft, on April 15. A fix was available on April 25.“[The bug] makes it possible for malicious attackers to, for example, steal the plugin API-key and potentially steal information about customers that made reservations, steal cookies or other sensitive data,” according Ouwendijk in a technical breakdown and proof of concept of the bug posted Sunday.
 
Leaky application programming interface (API) keys have been a popular target of hackers in dozens of attacks and been responsible for even more vendor fixes. Twitter, Imperva’s Cloud Web Application Firewall and recently 30 popular mHealth apps have each grappled with insecure API key issues.