lioncityrentals.com.sg employed a Wordpress installation that possessed a vulnerable plugin, Formidable Forms, which was vulnerable to reflected XSS, and exposed sensitive form data.
Thanks again for the report, @healdb! This was the first bug I ever found that exposed a large amount of PII, thanks for disclosing @uber!
This bug reinforces to me that hackers should always examine microsites as well as core domains, sometimes bugs on microsites can lead to significant data exposure. In this case, lioncityrentals.com.sg was collecting data on thousands of Uber Singapore users, which was then exposed by the outdated Wordpress plugin.
You can read more about the formidable forms vulnerability here - https://klikki.fi/adv/formidable.html
And be sure to check out my blog https://healdb.tech/blog.html for Bug Bounty tips and guides!